Introduction to the Legislation
The Danish Constitution was last amended in 1953, and it does not take IT and other modern day technologies (eg, artificial intelligence) into consideration. It includes a generic provision about privacy of correspondence and inviolability of property, but it does not contain general provisions on data protection or privacy.
Denmark is a party to the European Convention on Human Rights which includes a general provision on privacy in Article 8 (about the right to respect for private and family life). In practice, however, matters regarding personal data are governed by the special laws on data protection; most prominently the EU General Data Protection Regulation 2016/679 (GDPR).
The GDPR has been a major law within the field since its entry into force on 25 May 2018, and it applies directly in Denmark and constitutes the fundamental law in the field. In Denmark, the GDPR is supplemented by the Danish Data Protection Act of 23 May 2018 (DDPA). The DDPA contains local procedural rules, and details and modifies requirements in a number of areas; eg, processing of personal data about children and data about criminal offences, as well as use of data by public authorities.
The Danish Act on Law Enforcement of 27 April 2017 (DALE) – based on the so-called law enforcement directive (EU directive 2016/680) – supplements the GDPR and DDPA and governs the processing of personal data in the context of public law enforcement by the police, the prosecution service and similar public bodies.
The central definitions used in the GDPR, such as “personal data”, “processing”, “controller” and “processor”, apply directly and have exactly the same meaning in Denmark.
Overview of the Enforcement and Penalty Environment
Enforcement in Denmark is predominantly carried out by the Danish Data Protection Authority (hereinafter the Regulator). In addition, claims regarding violation of privacy and data protection regulations are from time to time made in civil law suits.
The entry into force of the GDPR has led to an increase in enforcement as well as the greater severity of penalties and claims, but the environment in Denmark is still fairly mild compared to larger countries in the EU, such as Germany and France, and even the other Nordic countries (who have historically taken a similar approach with relatively low fines).
When enforcing the legislation, the Regulator formally hands over the enforcement actions to the Danish Prosecution Service (DPS), which subsequently prosecutes the alleged violations before the courts. The enforcement of the GDPR and DDPA by the Regulator and DPS is still at an early stage, where the Regulator and DPS are considering and selecting which cases to bring before the courts to establish a clear methodology for calculating the fines and determining the fine level for various types of violations.
In 2021 the Regulator and DPS published official guidelines with proposals for a methodology and fine levels for the different types of violations of the GDPR and DDPA. The Regulator and DPS will apply and argue using this methodology before the courts, but to become binding the courts will need to confirm the methodology in their judgments. A free fine calculator created by the authors of this chapter, which can be used to calculate fines according to the new fine model, is available online.
The Danish Data Protection Authority (the Regulator) is the key regulator in the field.
The Regulator has jurisdiction to oversee compliance with the GDPR and DDPA in relation to all persons and private entities as well as public bodies in Denmark. In addition, the Regulator has jurisdiction to oversee compliance with DALE in relation to processing of personal data in the context of law enforcement.
The Regulator publishes guidance in relation to the GDPR, DDPA and DALE on its website, and conducts audits when overseeing compliance. The audits may take place on a written basis (where the Regulator sends a written request for information to be provided in writing) or as physical audits (where the Regulator inspects relevant sites and premises). The Regulator will by default and in most cases notify in advance of physical audits, but prior notification is not required.
For 2020, the Regulator has reported a total of 402 cases relating to audits and investigations, including planned audits of 18 private entities and 64 public authorities, 73 cases initiated on the basis of media coverage and similar, as well as 137 cases based on notifications from private persons and public authorities. The Regulator has further disclosed that 18 cases was handed over for prosecution to the DPS as well as a small number of cases (exact number undisclosed) for further investigation in 2020.
Following the entry into force of the GDPR the Regulator has received increased funding to hire more staff. In 2017 the Regulator had approximately 34 employees (full-time equivalents) and in 2021 the number has risen to 61. This has allowed the Regulator to increase activities within audits and inspections, but also in general in providing more guidance to the public on various topics related to compliance with the GDPR and DDPA. On top of the increased funding it was announced in December 2021 that the Regulator is to receive additional funding for providing more guidance to authorities and businesses in relation to data security.
With respect to the use of cookies on websites, both the Regulator and the Danish Business Authority have jurisdiction. The Danish Business Authority formally has jurisdiction in relation to the executive order on cookies (No 1148 of 9 December 2011) that implements the cookie rules from the E-Privacy directive (EU directive 2002/58). The Regulator does, however, in practice also enforce use of personal data on websites collected using cookies (because the GDPR and DDPA also applies to such processing).
Overall Approach to Audits
The Regulator may at its own discretion decide which private and public bodies to audit. In practice, the decision will depend on the type of enforcement the Regulator is carrying out.
The Regulator carries out so-called planned enforcement and ad hoc enforcement. To carry out the planned enforcement the Regulator defines a number of focus areas each year, and for each focus area the Regulator identifies relevant private and public bodies and decides which ones to audit. The ad hoc enforcement is carried out on the basis of complaints, notification of data breaches, news in the media and similar information received by the Regulator that indicates a need for the Regulator to look into compliance with a specific privacy or public body. Based on such information the Regulator decides which private and public bodies to audit ad hoc.
The Regulator may carry out the audits on a written basis by sending a questionnaire or letter with questions to the person or entity that is subject to the audit. Depending on the answers the Regulator may render a decision on the basis of the answers, ask additional questions, or – if relevant – initiate a physical inspection of the subject’s premises. Written audits are the most common, as they allow the Regulator to audit larger groups of persons and entities efficiently. Physical inspections are less common, but do take place when deemed relevant by the Regulator. The Regulator will typically notify the persons or entities that are to be subject of a physical inspection at least 14 days in advance, but prior notification is not strictly required if certain exceptions apply (eg, that there is a risk of destruction of evidence if the subject is notified).
Conducting Inspections
When carrying out inspections the employees of the Regulator are entitled to access premises where data is processed at any time without a court order, provided that appropriate ID is shown. The Regulator may require the local police to assist in order to gain access to such premises. During audits the Regulator can demand any information that is of relevance to assess compliance with the GDPR and DDPA, but the nemo tenetur principle applies to the persons or entities subject to an audit (except for public bodies), whereby they are allowed to refrain from answering questions and providing information to the extent this may incriminate them.
When carrying out physical inspections of premises that are not publicly available (such as internal office spaces or server rooms) the Regulator shall also ensure that the access it requests is reasonable and proportionate to the purpose for which the access is sought.
Concluding the Audit
When the Regulator has completed an audit and analysed the collected information, it will by default send a letter to the persons or entities that have been subject to the audit outlining the facts, its findings and the reasoning for its proposed decision. The persons or entities that have been subject to the audit will then have the opportunity to comment on this and provide additional information. Said persons may also, at any time, request access to the information the Regulator holds about them, and the Regulator shall by default provide such information.
When the audit is completed, the Regulator will render a formal decision with its findings in respect of compliance with the GDPR and DDPA. The decision cannot be appealed, but it can be brought before the ordinary courts.
Depending on the circumstances the Regulator may decide to publish the decision, and if this is deemed relevant by the Regulator also the identity of the person or entity subject to the audit. The extent of disclosure will depend on a balancing of the interests of the public (in getting the information) and the private interests of the persons and entities whose information will be disclosed (in keeping the information confidential). If the Regulator contemplates disclosing the information, and it is not apparent that the public interest clearly outweighs the private interest, the Regulator will usually consult the persons or entities whose information is to be disclosed.
Territorial Scope of the GDPR and DDPA
As the GDPR is an EU regulation, the national system in Denmark is to a large extent identical to the national systems of the other EU member states. In relation to the Regulator, the GDPR and the DDPA contain rules that determine its jurisdiction over matters governed by the GDPR and DDPA.
The GDPR applies to the processing of personal data by persons and entities established in EU, regardless of whether the processing takes place in EU or not. In addition, the GDPR applies to the processing of data about subjects who are in EU by persons or entities not established in EU, where that processing relates to the offering of goods and services to such subjects, or the monitoring of their behaviour (as far as the behaviour takes place in EU).
Correspondingly, as a local addition to the GDPR, the DDPA applies to processing of personal data by persons and entities established in Denmark, regardless of whether the processing takes place in the EU or not, and the DDPA applies to processing of data about subjects who are in Denmark by persons or entities not established in the EU, where the processing relates to the offering of goods and services to such subjects, or the monitoring of their behaviour (as far as the behaviour takes place in EU).
Jurisdiction of the Regulator
The Regulator has jurisdiction in relation to violations of the DDPA as well as violations of the GDPR that take place in Denmark, and violations of the GDPR by persons and entities established in Denmark.
Where a violation relates to cross-border processing (defined in the GDPR) the rules regarding “one-stop-shop” in the GDPR determine the competence and mode of collaboration of the relevant local regulators. Cross-border processing means processing carried out by persons or entities in more than one EU member state, as well as processing by a person or entity in one EU member state which substantially affects or is likely to substantially affect data subjects in more than one EU member state.
The main principle in the one-stop-shop rules is that one of the regulators (the data protection authorities or supervisory authorities) in the countries concerned is appointed as the lead supervisory authority. The lead supervisory authority is the regulator in the country where the person or entity in question is established, or in case of a group of entities the country where the main establishment of the group is located.
The lead supervisory authority shall facilitate co-operation and exchange of information between the regulators in relation to the case, request assistance from the other regulators as necessary, and drive the case-handling forward. The lead supervisory authority is in charge of drafting the decision in the case, which shall be submitted to the other regulators for comments. Depending on the comments the lead supervisory authority may be obliged to modify the draft decision, but it shall otherwise finalise and adopt it, and notify the main establishment thereof.
Multilateral Effects outside the EU
In an international context, the GDPR imposes restrictions on transfers of personal data from EU member states to countries outside the EU. The rationale behind the restrictions is to ensure that the safeguards surrounding personal data subject to the GDPR cannot be undermined by simply transferring the data to countries where the local data protection legislation is more relaxed or even non-existent.
A transfer of personal data to a third country outside the EU is only allowed if the conditions defined in the GDPR are met. In most cases the relevant conditions are (i) that the third country in question has been deemed as a “safe third country” that has adequate protection, or (ii) that appropriate safeguards are ensured on the basis of binding corporate rules or standard data protection clauses implemented between the data exporter and the data importer in the third country. The binding corporate rules and the standard data protection clauses impose the GDPR on the data importers (located in the third countries) on a contractual basis.
Many countries outside the EU have implemented data protection legislation that contains safeguards similar to those in the GDPR (and even in some cases largely copied the GDPR; eg, as seen with the LGPD in Brazil) – and the list of “safe third countries” made by the EU Commission is growing, most recently with the UK as a new addition following the adequacy decision following Brexit.
A consequence of the data transfer restrictions is that data transfers are easy to make between EU countries and “safe third countries”, whereas transfers from such countries to all other countries is becoming increasingly difficult (most recently due to the Schrems II decision that has introduced a requirement for transfer impact assessments, see 4.1 Restrictions on International Data Issues).
Subnational Regulations
There are no subnational regulations in Denmark (ie, no additional specific regulation at region or municipality level).
There are no major NGOs or SROs that work exclusively with privacy or data protection in Denmark, but several organisations provide guidance and participate in the public debate regarding privacy and data protection matters.
The Danish Consumer Ombudsman (DCO) is an independent public authority which supervises compliance with Danish marketing law. Data protection law (GDPR, DDPA etc) and marketing law intertwine in certain areas; eg, in relation to consent (as a legal basis for processing personal data or for sending marketing materials).
The Cyber Security Council is a council established to advice the government on how to improve digital security; to facilitate exchange of knowledge between authorities, industry and universities; and to develop cybersecurity competencies. It consists of members from industry, authorities, consumer organisations and universities.
The Data Ethics Council is an independent organisation established by the Danish government in 2019 to foster debate and raise public awareness in relation to data ethics, and to support responsible and sustainable data use within both the private and public sectors. It consists of members appointed by the Ministries of Justice, Finance, Innovation, Industry, Business and Financial Affairs, who represent public bodies and institutions, private companies and associations as well as NGOs.
As Denmark is an EU member state the national system follows the EU omnibus model with the GDPR applying directly in Denmark (supplemented by the local DDPA that only makes minor modifications and supplementations to the GDPR from a high-level perspective).
In an international context, the Danish system is – like the systems of other EU member states – highly developed. In relation to enforcement, the Danish Regulator is relatively pragmatic and not considered as aggressive as regulators in other EU countries.
The Schrems II decision and the subsequent guidance from the European Data Protection Board on international transfers of personal data has been getting a lot of public attention in Denmark in the last 12 months.
Following the decision, large parts of the public sector have been applying a strict interpretation of the decision, whereby any transfer to third countries by default is unlawful, unless it is a “safe third country” or the data is, for example, encrypted in a way that prevents access for anyone in the third country, including the importer. This restrictive approach has created a lot of challenges in relation to the use of global cloud providers, as many cloud providers operate set-ups where data may be exported to or accessed from third countries, and their services will not function with the required encryption set-up. As a consequence, many public authorities have been taking steps to move away from the use of IT services based on cloud solutions from major global cloud providers.
A new data ethics reporting requirement in the Danish Financial Statements Act came into effect in 2021. The reporting requirement is similar to the reporting requirements for sustainability and has effect for annual accounts for the calendar year 2021 and onwards (ie, annual accounts that are to be filed in the course of 2022 are the first annual accounts subject to the requirement). It is a local requirement that only applies to companies subject to the Danish Financial Statements Act. It obliges the companies to report on their policies on data ethics under a “comply or explain” principle (ie, companies must elaborate on their policies, or explain why they do not have policies).
Data ethics comprise, broadly, ethical principles regarding collection and use of data that organisations commit to honour on a voluntary basis. By definition the principles are to go beyond what the law requires, as mere compliance with applicable law isn’t considered ethical in itself – it is simply expected. In this regard it is stated in the preparatory works that data ethics builds on the GDPR, but the scope isn’t limited to personal data. Data ethics relates to ethical use of any type of data.
A new special Whistleblower Protection Act, introducing a general obligation to establish whistle-blower schemes, came into force in 2021. The act implements the EU Whistleblower Directive (2019/1937) and largely reflects the Articles in the Directive. As a consequence of the Act, many smaller companies need to establish whistle-blower schemes, whereas large international companies with existing global whistle-blower schemes must ensure that their schemes meet the requirements of the Act. The Act obliges companies with more than 49 employees to establish a whistle-blower scheme by 17 December 2023, and companies with more than 249 employees by 17 December 2021.
The Regulator published its enforcement focus areas for 2022 in January 2022. Several of the focus areas are of relevance to businesses as the Regulator will audit both public bodies and private entities in those areas. This includes compliant collection and use of data on web site visitors (eg, collected via cookies), adequate data security, correct handling of data breaches, and audits of data processors.
Schrems II is still a hot topic and it is expected that the focus on international data transfers and transfer impact assessments will continue to be high on the agenda in 2022.
Data ethics and data ethics reporting are also likely to be high on the agenda. The first round of annual reports where companies report on data ethics policies will be published in the spring of 2022. The frontrunners in this field are likely to inspire others to follow, and policies on data ethics will continue to evolve and set new standards, including for suppliers and supplier policies.
The new Whistleblower Protection Act has generated increased focus on whistle-blower schemes. This focus on the SME segment during 2022 and 2023 is likely to increase , where many SMEs will be required to establish whistle-blower schemes.
The Danish Executive Order on Logging (No 988 of 28 September 2006) implemented the EU Data Retention Directive (2006/24) and obliges telecoms and internet providers to log data on telephone calls and internet traffic. The European Court of Justice declared the EU Data Retention Directive invalid in 2014, but the executive order is still in force. In a recent case in 2021 the Danish Eastern High Court rejected a claim to invalidate the executive order.
Appointment of Data Protection Officers
A data protection officer is a formal role defined in the GDPR, and the GDPR determines when appointment of a data protection officer is mandatory. All public authorities and bodies (except courts) are required to appoint a data protection officer. Private entities are only obliged to appoint a data protection officer, if the core activities of the entity include (i) regular and systematic monitoring of data subjects on a large scale, or (ii) processing on a large scale of sensitive personal data or data relating to criminal convictions.
A data protection officer shall inform and advise on the obligations pursuant to the GDPR and DDPA; monitor compliance with the GDPR, DDPA and data protection policies; advise in relation to data protection impact assessments; co-operate with the supervisory authority; and act as a contact point for the supervisory authority.
Legal Basis for Collection, Use or Other Processing of Personal Data
All the basic principles of the GDPR apply in Denmark, including the principles in Article 5 regarding lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality.
The basic requirement of a legal basis in the GDPR also applies, whereby any processing of personal data for a given purpose must be covered by one of the exceptions in Article 6 of the GDPR, as well as Article 9 in the case of sensitive personal data. This includes legal bases such as consent, performance of a contract, compliance with a legal obligation, and legitimate interests.
Privacy by Design and by Default
The requirements for privacy by design and by default in the GDPR apply in Denmark.
Privacy by design entails that the controller shall consider and implement relevant technical and organisational measures (such as pseudonymisation) which are designed to implement data protection principles (such as data minimisation). In practice this means that the controller must design and configure its processes and IT systems in a manner that ensures that privacy requirements are duly reflected in the design and configuration.
Privacy by default means that the controller must design and configure its processes and IT systems in a manner that ensures that only necessary personal data is processed; ie, only necessary data should be collected, it should only be processed and stored as long as relevant, and it should only be accessible to relevant persons.
Impact and Risk Analyses
Assessing impact and risk to data subjects is a fundamental concept in the GDPR.
Controllers must carry out formal data protection impact assessments (DPIAs) if processing is likely to result in high risks to the data subjects – in particular when using new technologies, or in the case of automated systematic and extensive evaluation of persons, large-scale processing of sensitive data, or large-scale systematic monitoring of areas accessible to the public.
In addition, controllers and processors must assess risks when determining appropriate technical and organisational measures to ensure ongoing confidentiality, integrity, availability and resilience of their IT systems and processes.
Following the Schrems II decision from the European Court of Justice, performing transfer impact assessments prior to transferring data to third countries is also required.
Internal and External Privacy Notices and Policies
Transparency is a fundamental principle in the GDPR, and controllers are required to provide a wide range of specific information to data subjects. A privacy policy is not explicitly required in the GDPR, but privacy policies or notices are in practice often used to convey the mandatory information to the data subjects. This includes information on what data the controller is collecting and using, what the data is being used for, the legal basis for the use, how long the data is stored, and what rights the data subjects have in relation to the data.
External privacy notices are directed at external data subjects (ie, persons outside the organisation, such as customers and website visitors), while internal privacy notices are directed at internal data subjects (eg, employees). In addition to conveying mandatory information organisations often create formal internal policies and processes, manage their privacy compliance programmes (eg, an internal policy outlining internal roles and responsibilities, as well as processes, on how to handle data breaches or data subject requests). Implementing such policies and processes is in line with the accountability principle in GDPR.
Data Subject Rights
The GDPR has defined a number of formal rights that data subjects have in relation to their data: the right of access, the right to rectification, the right to erasure, the right to restriction, the right to data portability, and the right to object. Controllers must inform data subjects of these rights and how to exercise them.
Anonymised and Pseudonymised Data
The definition of “personal data” in the GDPR is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Anonymised data or information is “information which does not relate to an identified or identifiable natural person”, or “personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”. As a consequence, anonymised data or information does not constitute personal data, the GDPR does not apply to such information.
Pseudonymised data is information which has undergone pseudonymisation, but which could still be attributed to a natural person by use of additional information; eg, the name of the person has been made into a pseudonym or deleted, but the other information about the person is unchanged. Such information is still deemed personal data.
Profiling, Automated Decision-Making, AI and Big Data
Automated decision-making and profiling is governed explicitly in the GDPR, and data subjects are by default entitled not to be subject to such processing if it produces legal effects concerning them or similarly significantly affects them.
As exceptions to this main rule, such automated decision-making and profiling is permitted if it is necessary in relation to a contract with the data subject, if it is specifically authorised by local member state law, or if the data subject has given explicit consent.
Big data is not explicitly governed by the GDPR or DDPA, but the processing of big data will in many cases entail processing of personal data, insofar as part of the data sets consist of data that makes it possible to identify natural persons. Where the data is aggregated or otherwise anonymised in a manner that makes identification of natural persons impossible, the GDPR does not apply to the data and processing thereof.
Artificial intelligence (AI) is often defined as the ability of a computer to perform tasks commonly associated with intelligent beings. Machine learning is generally considered a simple form of AI, whereby a computer “learns” to perform certain tasks based on large sets of data used for training. Based on the training the computer develops and refines software algorithms used for generating outcomes, whereby the outcome is gradually improved and validated against the data set.
AI is not governed explicitly in the GDPR or DDPA, but automated decision-making and profiling may make use of AI/machine learning to build and improve algorithms (eg, to predict consumer behaviour).
In 2021 the EU Commission presented a proposal for a new EU Regulation on AI. The AI Regulation is still in a draft form, and it is still unclear what the final version will look like and when it will enter into force. The draft Regulation includes transparency requirements and divides AI systems into different categories based on risk (banned AI systems, high-risk AI systems and other AI systems).
Harm and Injury Related to Use of Personal Data
Any person who has suffered material or non-material damage as a result of an infringement of the GDPR or DDPA is entitled to compensation pursuant to the GDPR and DDPA. Under the GDPR and DDPA the entity or person responsible for the infringement is by default liable for any such damage (exemption of liability requires the entity or person to prove that it is not in any way responsible for the event giving rise to the damage).
The damage suffered includes financial or pecuniary damage, but also non-financial (eg, emotional) damage may be compensated. In relation to the latter it is currently debated among legal scholars in Denmark whether compensation for non-financial damage applies directly on basis of the GDPR, or whether it is further required that the general local requirements for non-financial damage apply (in Section 26 of the Danish Liability for Damages Act).
Special Rules Regarding Sensitive and Sectoral Data
In relation to the financial sector, the DDPA includes a number of special restrictions in relation to credit bureaus, and the sectoral Danish Financial Business Act also includes a detailed regulation on, for example, sharing of confidential information on customers by banks and insurance companies.
Within the life sciences sector, companies often process health data in the context of their research and when performing clinical trials. In practice such private entities will only be able to process such data for research on the basis of consent from the subjects, or based on the so-called research exception (Article 9(2)(j), GDPR) due to the sensitive nature of health data. The DDPA contains additional rules on the research exception in Denmark. Both consent and the research exception have limitations as legal bases for use of health data, and the possibilities in this area are subject to debate and still undergoing changes.
Processing of data on children is, in some respects, subject to additional requirements under the GDPR and DDPA. This is seen, for example, in relation to consent from children below the age of 16, where consent must be given or authorised by the holder of parental responsibility. For Denmark, the DDPA has lowered this threshold to children below the age of 13.
In an employment context, the Regulator has published specific guidance elaborating on, for example, how employees should be furnished with mandatory information, how to process job applicant data and conduct recruitment processes in a compliant manner, and how trade unions and their employee representatives may process data.
Internet and Streaming
The GDPR includes special rules on online behavioural or targeted advertising, whereby the right to object must be brought explicitly to the attention of the data subjects – and separately from other information – at the latest at the time of the first communication with the data subject. In addition, the processing shall cease if the data subject objects.
In the context of social media, the European Court of Justice has established that the social media platforms and companies making use of social media pages can be considered joint controllers in some regards. This decision has sparked the need for special privacy notices on corporate pages on social media.
Data Subject Rights
Please see 2.1 Omnibus Laws and General Requirements for details of data subject rights.
The spam rules in the EU Directive on Privacy and Electronic Communications have been implemented in the Danish Marketing Practices Act. As a consequence, prior consent is by default required for sending unsolicited commercial or marketing communications via email, automated texts or other electronic formats. This applies for communication to any type of recipient (whether consumer, business or public bodies).
In addition, the Danish Consumer Contracts Act further prohibits the use of telemarketing calls to consumers (except for the marketing of books, newspapers, journals, insurance, and rescue services).
Please refer to 2.2 Sectoral and Specific Issuesfor details on online targeted advertising.
There are no special laws on workplace privacy. Instead the area is governed by the general privacy rules (GDPR and DDPA), the Danish Whistleblower Protection Act as well as other general areas of law (such as employment and criminal law).
Companies are in general allowed to implement cybersecurity tools and insider threat detection and prevention programmes, and monitor workplace communications in this regard (depending on the level of detail of the monitoring).
In practice, monitoring tools may, for example, monitor network traffic and look for unusual patterns, without processing the specific files and messages that may be transmitted, and who they are transmitted from and to. This type of monitoring will by default not give the person or system carrying out the monitoring access to private communication. Such monitoring will therefore often not be problematic in relation to the GDPR, as personal data is only processed indirectly, if at all, and only to pursue a legitimate purpose. On the other hand, monitoring by mass screening messages sent to and from employees will by default constitute processing of personal data, and is unlawful.
Labour organisations and works councils are deemed independent data controllers under the GDPR. In practice it means that organisations must ensure a legal basis for sharing employee data with labour organisations and works councils, and that labour organisations and works councils must ensure that employees are notified of their processing of the employees’ personal data. When determining to what extent an organisation may share data with labour organisations and works councils it is relevant to consider obligations under collective bargaining agreements and similar.
A new Danish Whistleblower Protection Act entered into force in 2021. The law allows for anonymous reporting, and anonymous reporting needs to be possible when operating an external whistle-blower scheme (in contrast to an internal whistle-blower scheme for employees only, where it is not required). See 1.7 Key Developments for more information on the Whistleblower Protection Act.
The concept of discovery as seen in many common law jurisdictions does not exist in Denmark. The Danish Administration of Justice Act does, however, contain rules where a court can order a party to a legal proceeding to disclose information, but the rules in this respect are much more relaxed than, for example, the US discovery rules. International Danish companies are from time to time subject to US discovery proceedings, and may be obliged to store copies of the data in scope for long periods of time (and beyond the time required by regular retention rules). The prolonged storage of such data is in general deemed to be in compliance with the GDPR and DDPA, given the foreign legal obligations to do so, and the limited scope of access to the data in question.
Legal Standards
When determining whether an act or omission is punishable under Danish law the general principle of legality applies (nullum crimen sine lege, nulla poena sine lege poenali), whereby the act or omission in question must be defined as a criminal offence in the law in order for punishment to be ordered.
In Danish criminal cases the defendant is by default deemed innocent, and the DPS must lift the burden of proof and show beyond a reasonable doubt that the defendant has committed the criminal offence in question. The court is not bound by any laws or rules when assessing the evidence and determining whether the defendant has committed the criminal offence in question.
Article 83 of the GDPR outlines a number of basic principles that must be applied when imposing and deciding on level of fines for violation of the GDPR. These include “the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them”, “the intentional or negligent character of the infringement”, “any relevant previous infringements by the controller or processor” and “the degree of co-operation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement”.
In addition, the general principles for determining sanction amounts found in Chapter 10 of the Danish Penal Code – which in some respects overlap with Article 83 of the GDPR – also apply.
Enforcement Penalties
Fines for violation of the GDPR and DDPA are subject to two specific limits defined in Article 83 of GDPR (depending on which provisions the infringement relates to). In the case of private entities maximum fines are either EUR10 million or 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher) or EUR20 million or 4 % of the total worldwide annual turnover of the preceding financial year (whichever is higher). The DDPA further stipulates that the punishment may also be up to six months in prison (if the defendant is a physical person). The Regulator and the prosecution service has made a special model for calculating fines. For more information see 1.1 Laws (Overview of the Enforcement and Penalty Environment).
In addition to the formal penalties the Regulator may publish its decision. For more information about this see 1.3 Administration and Enforcement Process.
Enforcement Cases
To date there has only been one published court decision on fines pursuant to the GDPR in Denmark. The first instance court decided on a fine of DKK100,000 for inadequate deletion of data on 350,000 customers. The DPS argued for a fine of DKK1.5 million (in accordance with the recommendation from the Regulator). The DPS has appealed the decision and the appeal is still pending before the high court.
The Regulator has made proposals for fines in a number of other cases, but in no case for a fine above DKK1.5 million. Compared to the other Nordic countries as well as other countries in EU the current level of proposed fines is low in Denmark.
Private Litigation
Private persons and entities may bring suit for compensation and damages against controllers and processers under the GDPR and DDPA. In the event of damage, the controller or processor involved in the processing will be liable for that damage, unless the controller or processor can prove “that it is not in any way responsible for the event giving rise to the damage”. For further information on what constitutes damage see 2.1 Omnibus Laws and General Requirements.
Under the Danish Administration of Justice Act it is possible for a multitude of persons and entities to bring suit jointly as a group, provided that their claims are alike. Group actions of this kind are prima facie similar to class actions, but they differ in that all participants have to actively opt in – and the code of conduct (that all Danish lawyers are subject to) prohibits “no win, no fee” arrangements where the lawyer is entitled to a percentage of the compensation as a legal fee.
As a consequence, group actions are therefore only seen rarely in Denmark in practice, but the formal possibility could lead to group actions being raised, for example, as a consequence of major data breaches severely affecting large groups of persons.
The Danish Act on Law Enforcement (DALE) governs law enforcement processing of personal data in order to prevent, investigate, reveal or prosecute crimes or enforce criminal sanctions. DALE does not apply to access to data by the Danish Security and Intelligence Service and the Danish Defence Intelligence Service.
The Danish Administration of Justice Act outlines the basic requirements for giving law enforcement access to data, IT systems and messages, and such access will as a main rule require a prior court order allowing the specific access. If waiting for a court order will prevent law enforcement from securing evidence, access can be given without a prior court order, but law enforcement will in such case be required to obtain a court order as soon as possible and no later than 24 hours after initiation of the operation. When law enforcement requests a court order a defence counsel must by appointed by the court to represent the defendant, and the defence counsel must be given the opportunity to argue against the granting of access.
The safeguards in relation to law enforcement processing of the personal data (in DALE) are similar to the safeguards in the GDPR and DDPA, but more limited (transparency, for example, only applies to the extent it does not harm investigations, public security and similar).
The same overall principles referenced in 3.1 Laws and Standards for Access to Data for Serious Crimesapply, but access to messages, etc, is formally governed by different Acts (the Act on the Danish Defence Intelligence Service and the Act on the Danish Security and Intelligence Service), and details regarding, for example, deadlines are different.
The GDPR includes a legal basis for collecting and transferring personal data to governments and authorities; eg, if there is a legal obligation to provide such information when receiving an access request. The legal obligations referenced in the GDPR are, however, limited to legal obligations under the laws of Denmark or other EU member states, and not laws of countries outside the EU. In addition, the data transfer restrictions also limit the ability to transfer personal data to foreign governments outside the EU.
Denmark does not participate in a Cloud Act agreement with the USA.
The key public debates arising in connection with government access to personal data relate to access by foreign governments, most notably access by authorities in the USA on the basis of, for example, FISA 702 (also addressed in the Schrems II case) and access by hacker groups (eg, government-supported industrial espionage, but also ransomware attacks).
As described in 1.4 Multilateral and Subnational Issues, the GDPR includes a general prohibition against transfers of personal data from EU countries to third countries outside the EU. A transfer to such third countries is only allowed if one of the exceptions in the GDPR applies, including a transfer mechanism as further described in 4.2 Mechanisms or Derogations that Apply to International Data Transfers. The threshold for what constitutes a transfer of data to a third country is very low. By way of example any forwarding or copying of data to a recipient in the third country, storage on servers in a third country, as well as remote access to the data from the third country constitutes a transfer.
Following the Schrems II decision, EU data exporters are further required to conduct a transfer impact assessment prior to making a transfer of personal data to a third country. The purpose of the transfer impact assessment is to verify that the safeguards under the GDPR remain effective for the data in question in the third country to which the data is to be exported. When making the assessment the data exporter must consider, inter alia, whether there is anything in the law and/or practices of the third country that may impinge on the effectiveness of the safeguards.
A transfer of personal data from a country in the EU to a third country may take place if the EU Commission has rendered a formal adequacy decision in relation to the third country in question, and decided that the third country ensures an adequate level of protection. A list of such safe third countries can be found here.
In the absence of an adequacy decision a transfer of personal data to a third country may take place if appropriate safeguards (as defined in Article 46 of the GDPR) or derogations (as defined in Article 49 of the GDPR) apply.
Examples of the appropriate safeguards (transfer mechanisms) often seen in practice are (i) a contract between the data exporter and data importer that includes the data protection clauses adopted by the EU Commission, or (ii) binding corporate rules pursuant to Article 47 of the GDPR implemented by the data importer.
In practice the derogations are not used as often as appropriate safeguards. The most common derogation is consent for the transfer from the data subjects in question.
Government notifications or approvals are not required to transfer data internationally under Danish law.
No data localisation requirements apply in relation to personal data in general. Section 3(9) of the DDPA does, however, contain a special localisation rule whereby the Minister of Justice is entitled to decide that personal data processed in certain IT systems on behalf of public bodies must be processed and stored solely in Denmark. This special rule – also known as the “war rule” – also existed prior to the GDPR and DDPA. The Minister of Justice has issued an executive order (latest version of 11 February 2022) that includes a list of the systems subject to the localisation requirement. The list currently only covers eight systems, including the system used by the Danish police and the system used for public digital mail.
The Danish Bookkeeping Act previously included a requirement that companies were obliged to obtain permission to store bookkeeping materials outside Denmark. This requirement has since been relaxed, and it is now possible to store bookkeeping material outside Denmark (eg, on cloud platforms), provided that it is readily available, that passwords, etc, are kept in Denmark, that it can be extracted or printed, and that it is otherwise stored in accordance with the act.
Software code, algorithms or similar technical details are not required to be shared with the Danish government.
An organisation that collects or transfers data in connection with government data requests will in practice often do so to comply with a legal obligation or to carry out a task in public interest. In this regard Recital 45 of the GDPR stipulates that processing that complies with a legal obligation, or which is in the public interest, “should have a basis in Union or Member State law”. As a consequence, legal obligations and public interest stemming from a third country outside EU cannot be used as a formal legal basis for the collection and transfer. For such scenarios the organisation would need to use another legal basis; eg, legitimate interest, which in practice limits the possibility to collect and transfer data for such purposes. International transfer restrictions (see 1.4 Multilateral and Subnational Issues and 4.1 Restrictions on International Data Issues) should also be considered.
In relation to internal investigations, the DDPA stipulates that the processing of data on criminal offences by private entities can take place, provided that it is necessary to pursue a legitimate interest, and that this interest clearly outweighs the interests of the data subject.
The EU considers extraterritorial application of laws adopted by third countries to be contrary to international law, and has enacted a blocking statute (Regulation 2271/96) to protect EU operators against such laws. The blocking statute does not specifically relate to privacy or data protection, and is in practice directed at export control, trade sanctions and similar.
Please refer to 2.1 Omnibus Laws and General Requirements.
It is not a formal requirement to establish protocols for digital governance or fair data practice review boards or committees, but recent developments within the field of data ethics (see 1.7 Key Developments) have led a number of primarily large international companies to establish policies and protocols for digital governance and fair (or ethical) practices on a voluntary basis. In this respect some companies establish internal boards or committees that oversee compliance with their policies and protocols, or anchor this oversight in existing boards or committees. Addressing risks associated with new technologies is a fundamental part of data ethics programmes (eg, creating internal governance on the use of AI and other technologies that may entail a risk to individuals).
Please refer to 2.5 Enforcement and Litigation.
The Regulator has only published limited guidance in relation to the processing of personal data in the context of due diligence in corporate transactions. The guidance was published prior to the GDPR and DDPA, but is based on the same principles that follow from the GDPR.
In short, it is generally allowed to share ordinary non-sensitive personal data as part of a due diligence process, but only to the extent necessary for the diligence and always subject to customary confidentiality obligations. The legal basis for such processing is legitimate interest (now Article 6(1)(f) of the GDPR). For this reason sensitive personal data must by default be redacted from documentation that is to be uploaded into a data room, and consent is by default required if sensitive personal data is to be included.
In the event access to the data room is given to persons located outside the EU, data transfer restrictions should also be considered, see 1.4 Multilateral and Subnational Issuesand 4.1 Restrictions on International Data Issues.
The reporting obligations in the NIS Directive (EU Directive 2016/1148) have been implemented in Danish law in the Danish Act on the Centre for Cyber Security. Operators of essential services are obligated to report cybersecurity incidents to the Danish Centre for Cyber Security pursuant to this act.
Separately, all organisations are subject to the general obligations under the GDPR to report data breaches to the supervisory authorities.
Cybersecurity attacks (eg, ransomware) have severely affected several large international Danish companies over the last couple of years (eg, Demant, Vestas and AP Moller – Maersk), as well as a large number of smaller Danish companies. The Danish Centre for Cyber Security assesses the cyberthreat against Denmark on an ongoing basis, and currently assesses the threat as “very high”.
The increase in the number, impact and sophistication of the attacks – and overall risk – has created a heightened awareness about cyber-risk in Denmark, and the topic has been moving up the management agenda of many companies.
In June 2021, a large majority of the parties represented in the Danish Parliament made an agreement to provide additional funding of DKK500 million to strengthen Danish cyberdefences.
Store Kongensgade 77
1264 Copenhagen
Denmark
+45 33 12 45 40
info@nrlaw.dk www.nrlaw.dk