Data Protected - Denmark

Contributed by Gorrissen Federspiel

Last updated February 2024

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws

The General Data Protection Regulation (EU) (2016/679) (“GDPR”).

In Denmark, the GDPR is supplemented by the Danish Data Protection Act (act. No. 502 of 23 May 2018, in Danish Databeskyttelsesloven). The Danish Data Protection Act replaced the former Danish Act on Processing of Personal Data (act no. 429 of 31 May 2000) as of 25 May 2018. 

Entry into force

The GDPR has applied since 25 May 2018.

The Data Protection Act entered into force at the same time as the GDPR, on 25 May 2018.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Under the Data Protection Act the Danish Data Protection Agency (Datatilsynet) will act as the supervisory authority in Denmark.

The Data Protection Agency (Datatilsynet) (the “Agency”)
Carl Jacobsens Vej 35
DK-2500
Valby
Denmark

Phone +45 33 19 32 00

www.datatilsynet.dk

The Agency will represent Denmark on the European Data Protection Board.

Notification or registration scheme and timing

There is no obligation to notify regulators of any processing under the GDPR.  However, controllers and processors must keep a record of their processing and make it available to their supervisory authority on request (subject to limited exemptions)

Despite there being no obligation to notify regulators under the GDPR, according to the Data Protection Act authorisation from the Agency must be obtained prior to processing personal data, where the processing of personal data is carried out: (i) for the purpose of warning others against having business relations or accepting employment with the data subject (warning registers); (ii) for the purpose of commercial disclosure of personal data to assess financial solidity and creditworthiness (credit information agencies); or (iii) solely for the purpose of operating a judicial information system (judicial information systems).

The Danish Data Protection Agency has published standard application forms for applying for approval of warning registers and credit information agencies. It is mandatory to use the application forms when applying for approval from the Data Protection Agency. In connection with the application forms, the Data Protection Agency has published guidance on how to determine whether a type of business or business activity constitutes a warning register or credit information agency. The guidance and application forms are available on the Danish Data Protection Agency’s website. The Danish Minister of Justice may introduce further regulations in respect of these exceptions as well as further regulations, which will require prior authorisation from the Agency.

In addition, prior authorisation from the Agency must be obtained if personal data processed for scientific or statistical purposes is to be disclosed to a third party.

The Data Protection Act gives the Danish Minister of Justice the power to introduce regulations to require controllers to pay charges for the application. No such regulations have been passed to date.

Exemptions to notification

Not applicable.

_____________________________________________________________________Top

Scope of Application

What is the territorial scope of application?

The GDPR applies to the processing of personal data in the context of the establishment of a controller or processor in the EU.

It also contains express extra-territorial provisions and will apply to controllers or processors based outside the EU that: (i) offer goods or services to individuals in the EU; or (ii) monitor individuals within the EU. Controllers and processors caught by these provisions will need to appoint a representative in the EU, subject to certain limited exemptions.

The European Data Protection Board has issued Guidelines on the territorial scope of the GDPR (3/2018).

Is there a concept of a controller and processor?

Yes. The GDPR contains the concept of a controller, who determines the purpose and means of processing, and a processor, who just processes personal data on behalf of the controller.

The European Data Protection Board has issued Guidelines on the concepts of controller and processor in the GDPR (7/2020).

Both controllers and processors are subject to the rules in the GDPR, but the obligations placed on processors are more limited

Are both manual and electronic records subject to data protection legislation?

Yes. The GDPR applies to both electronic records and structured hard copy records.

Are there any national derogations?

The GDPR does not apply to law enforcement activities which are instead subject to the Law Enforcement Directive. The GDPR also does not apply to areas of law that are outside the scope of Union law, such as national security, and does not apply to purely personal or household activity.

The Data Protection Act contains a number of national derogations, including for journalism, prevention of crime, parliamentary work and legal proceedings.

_____________________________________________________________________Top

Personal Data

What is personal data?

Personal data is information relating to an identified or identifiable natural person.

This is a broad term and includes a wide range of information. The GDPR expressly states it includes online identifiers such as cookies.

Is information about legal entities personal data?

No. However, information about sole traders and partnerships is likely to be personal data.

Processing of information on a legal entity will be subject to the Data Protection Act if: (i) the processing of information is carried out for or on behalf of a credit information agency; or (ii) if the processing of information is carried out with the purpose of warning others against entering into a business or employment relationship with the legal entity.

What are the rules for processing personal data?

All processing of personal data must comply with all six general data quality principles. Personal data must be: (i) processed fairly, lawfully and transparently; (ii) collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; (iii) adequate, relevant and not excessive; (iv) accurate and, where necessary, up to date; (v) kept in an identifiable form for no longer than necessary; and (vi) kept secure.

The processing of personal data must also satisfy at least one condition for processing personal data. These conditions are that the processing is: (a) carried out with the data subject’s consent; (b) necessary for the performance of a contract with the data subject; (c) necessary for compliance with a legal obligation; (d) necessary in order to protect the vital interests of the data subject; (e) necessary for the public interest or in the exercise of official authority; or (f) necessary for the controller’s or a third party's legitimate interests, except where overridden by the interests or fundamental rights and freedoms of the data subject.

These rules are almost identical to the core requirements for processing personal data in the old Data Protection Directive. The European Data Protection Board has issued Guidelines on the performance of a contract processing condition for online services (2/2019).

Are there any formalities to obtain consent to process personal data?

The requirements for consent under the GDPR are strict. 

To be valid, consent must be in clear and plain language and, where sought in writing, separate from other matters. Consent must be based on affirmative action so pre-ticked boxes are not acceptable. Consent might not be valid if: (i) there is any detriment to the data subject for refusing; (ii) there is an imbalance of power; (iii) consent for multiple purposes is bundled together; or (iv) the consent is a condition of entering into a contract. Finally, consent can be withdrawn at any time.

In practice, other processing conditions should be relied on where possible. Consent will only be an appropriate processing condition if the individual has a genuine choice over the matter, for example, whether to be sent marketing materials. 

The European Data Protection Board has issued Guidelines on consent (5/2020).

The Data Protection Act specifically sets out that consent may be used as a legal basis in an employment relationship if the consent is given in accordance with the conditions laid down in the GDPR. This continues the practice in Denmark under the old Data Protection Directive.

Are there any special rules when processing personal data about children?

Consent from a child in relation to online services will only be valid if authorised by a parent. A child is someone under 16 years old, though Member States may reduce this age to 13.

In Denmark, the age at which a child can provide a valid consent in connection with the use of online services is reduced to 15 years old.

Are there any special rules when processing personal data about employees?

The GDPR allows Member States to implement more specific national rules governing the processing of personal data about employees. It may also be possible to process special category personal data where it is necessary for a legal obligation in the field of employment law. 

The Data Protection Act provides that authorisation from the Agency must be obtained prior to processing personal data where the processing takes place for the purpose of warning others against entering into business or employment relations with the data subject (see above under ‘Notification or registration scheme and timing’).

Denmark has used the opportunity provided for in the GDPR to adopt special national rules in relation to processing of personal data about employees. Processing may take place if necessary to comply with the controller’s or data subject’s employment law obligations or rights set out in applicable law or collective bargaining agreements. This applies to both non-special categories of personal data as well as special categories of personal data.

Further, the Data Protection Act provides that processing of the above-mentioned types of personal data may take place where the processing is necessary to enable the controller or a third party to pursue a legitimate interest that arises from other law or collective agreements, provided the interests or fundamental rights or freedoms of the data subject are not overridden.

The Data Protection Act specifically sets out that consent may be used as a legal basis in an employment relationship if the consent is given in accordance with the conditions laid down in the GDPR. This continues the practice in Denmark under the old Data Protection Directive

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Special category data is personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. The decision in OT (C-184/20) might suggest this should be interpreted broadly to include publication of information that indirectly discloses these characteristics.

The inclusion of genetic and biometric data is new and an extension to the types of sensitive personal data in the Data Protection Directive.

Information about criminal offences is dealt with separately and is subject to even tighter controls.

In Denmark, processing of personal registration numbers (CPR no.) is subject to specific requirements.

Are there additional rules for processing sensitive personal data?

Special category data may only be processed if a condition for processing special category data is satisfied. A condition arises where the processing: (a) is carried out with the data subject’s explicit consent; (b) is necessary for a legal obligation in the fields of employment, social security and social protection law; (c) is necessary to protect the vital interests of the data subject or another person where the data subject is unable to give consent; (d) is carried out by a non-profit-seeking body and relates to members of that body or persons who have regular contact; (e) relates to data made public by the data subject; (f) is necessary for legal claims; (g) is for reasons of substantial public interest under EU or Member State law; (h) is necessary for healthcare reasons; (i) is necessary for public health reasons; or (j) is necessary for archiving, scientific or historical research purposes or statistical purposes and is based on EU or Member State law.

The Data Protection Act has not implemented item (i) and (j), and the use of these exceptions requires a specific legal basis in other Danish laws such as the Danish health legislation.

The Data Protection Act allows for the processing of sensitive personal data, insofar as processing takes place with a view to operate a judicial information system of significant public interest and such processing is necessary to operate such a system. Furthermore, the Data Protection Act sets out when public authorities and private entities may process information on Danish personal registration numbers (CPR no.), which are subject to some of the same restrictions as sensitive personal data.

Are there additional rules for processing information about criminal offences?

It is only possible to process personal data relating to criminal convictions or offences if: (a) it is carried out under the control of official authority; or (b) when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

The Data Protection Act allows for the processing of information about criminal offences if the data subject has given its explicit consent. In addition, information on criminal offences may be processed: (i) by public authorities if processing is necessary to perform the tasks incumbent on the authority; or (ii) by private entities if processing is necessary for the purposes of pursuing a legitimate interest and such interest clearly overrides the interests of the data subject. The Data Protection Act sets out further requirements as to when information on criminal offences may be disclosed to third parties.

Are there any formalities to obtain consent to process sensitive personal data?

Consent to process sensitive personal data must be explicit. The general restrictions on consent, set out above, will also apply. This suggests a degree of formality, such as ticking a box containing the express words “I consent”. It is unlikely explicit consent could be obtained through a course of conduct.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

Both controllers and processors must appoint a data protection officer if: (i) they are a public authority; (ii) their core activities consist of regular and systematic monitoring of data subjects on a large scale; or (iii) their core activities consist of processing special category personal data on a large scale (including processing information about criminal offences).

Data protection officers must also be appointed where required by national law. However, the Data Protection Act does not impose any additional obligations to appoint a data protection officer.

What are the duties of the data protection officer?

The data protection officer must be involved in all data protection issues and cannot be dismissed or penalised for performing their role. The data protection officer must report directly to the highest level of management. Details of the data protection officer must be communicated to the relevant supervisory authority

The Article 29 Working Party has issued Guidelines on Data Protection Officers (WP243).

The Danish Data Protection Agency has also issued Guidelines on Data Protection Officers.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The GDPR adds a new general accountability obligation under which you must not only comply with these new rules, but also be able to demonstrate you comply with them. This means ensuring suitable policies are in place supported by audit and training.

Are privacy impact assessments mandatory?

A privacy impact assessment must be conducted where “high risk” processing is carried out. This includes: (a) systematic and extensive profiling that produces legal effects or significantly affects individuals; (b) processing on a large scale either special categories of personal data or personal data relating to criminal convictions and offences; and (c) systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV). Where the assessment indicates the risk cannot be mitigated, the controller must consult the relevant supervisory authority.

The Article 29 Working Party has subsequently issued Guidelines on Data Protection Impact Assessments (WP 248). It suggests there are nine criteria to consider to determine whether to conduct a privacy impact assessment, and that an assessment should be made if two or more of those criteria are met. This is arguably wider than the criteria set out in the paragraph above

The Danish Data Protection Agency has published a list of “high risk” processing activities, which, according to the Danish Data Protection Agency, will require that a privacy impact assessment is carried out.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

controller must provide data subjects with a privacy notice setting out how the individual’s personal data will be processed. The privacy notice must contain the enhanced transparency information.

The Article 29 Working Party has issued Guidelines on Transparency (WP260).

In Denmark, there is no obligation to provide such information in Danish, though it may be difficult to show that the information has been provided fairly if it is not in a language the data subject is familiar with.

However, the Data Protection Act provides that there should be no duty to provide a privacy notice if the data subject’s interests are overridden by crucial private interests. This rule will be relevant in relation to handling of whistleblowing reports and other internal investigations where the information duty can be postponed.

Rights to access information

Data subjects will have a right to access copies of their personal data by making a written request to the controller. The initial request is free, though a charge can be made for subsequent requests. Controllers can refuse the request if it is manifestly unfounded or excessive. The right to obtain a copy of personal data should not adversely affect the rights and freedoms of others. The response must be provided within a month, though this can be extended by two months if the request is complex

The European Data Protection Board has issued Guidelines on rights of access (1/2022).

The Data Protection Act provides that there should be no right to access information if the data subject’s interests are overridden by crucial private interests. The rule is relevant in relation to handling of whistleblowing reports where subject access requests may be denied if access to information can compromise the investigation or in relation to protection of trade secrets.

The Danish Data Protection Agency has issued updated guidance on data protection in the employment relationship. In a specific complaint case, the Danish Data Protection Agency has made it clear that an employee requesting access to information is not entitled to a copy of all letters, memos, e-mails etc. that the data subject has drafted or sent while working for the controller. The reason is that the purpose of the right to access information is to provide transparency in respect of the processing of personal data to ensure the data subject can verify that the processing of his or her personal data is legal, and that the personal data is correct.

Rights to data portability

Data subjects will also have a right to data portability where the condition for processing personal data is consent or the performance of a contract. It entitles individuals to obtain any personal data they have “provided” to the controller in a machine-readable format. Individuals can also ask for the data to be transferred directly from one controller to another. There is no right to charge fees for this service.

The Article 29 Working Party has issued Guidelines on data portability (WP242).

Right to be forgotten

data subject can ask that their data be deleted in certain circumstances. However, those circumstances are relatively limited, for example where the processing is based on consent, that consent is withdrawn and there are no other grounds for processing. Even where the right does arise, there are range of exemptions, for example where there is a legal obligation to retain the data. 

The European Data Protection Board has issued Guidelines on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) (5/2019)

Objection to direct marketing

data subject can object to their personal data being processed for direct marketing purposes at any time. This includes profiling to the extent related to direct marketing.

The Data Protection Act states that a company may not disclose information about consumers to other companies for direct marketing purposes or use information about consumers on behalf of another company for the same purpose before the company has checked in the Central Personal Register (“CPR register”) whether the consumer has objected to marketing communications by having registered in the CPR register. The provision was shortened as of 1 January 2024, as the Danish Data Protection Agency doubted whether the previous wording of the provision was within the member states national margin of manoeuvre. The Ministry of Justice has subsequently reconsidered the provision and arrived at the current wording.

After the revision of the provision, the requirements in the GDPR must be met. The GDPR provides that processing can take place to pursue legitimate interests of the controller or third party, when such interests are not overridden by the interests of the data subject.

Other rights

The GDPR contains a range of other rights, including a right to have inaccurate data corrected. There is also a right to object to processing being carried out in the performance of a public task or under the legitimate interests condition

Finally, there are controls on taking decisions based solely on automated decision making that produce legal effects or similarly significantly affects the data subjectThe Article 29 Working Party has issued Guidelines on Automated Decision Making and Profiling (WP251).

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The GDPR contains a general obligation to implement appropriate technical and organisational measures to protect personal data.

In addition, controllers and processors must ensure, where appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of its information technology systems; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

Specific rules governing processing by third party agents (processors)

controller must ensure that any processor it instructs will ensure adequate security for personal data and otherwise meet the requirements of the GDPR.

The controller must have written contracts with its processor containing the enhanced processor clauses.

The Danish Data Protection Agency has published a standard contract under Article 28(8) of the GDPR. The Agency has also provided a template for a joint controller agreement and templates for complying with the information obligation and the data subject rights to access information.

Notice of breach laws

A personal data breach must be notified to the relevant supervisory authority unless it is unlikely to result in a risk to data subjects. The notification must, where feasible, be made within 72 hours. If the personal data breach is a high risk for data subjects, those data subjects must also be notified. 

Specific notice of breach laws apply to the electronic communications sector under national laws implementing the Privacy and Electronic Communications Directive and to operators of essential services and digital service providers under national laws implementing the Network and Information Systems Directive.

The European Data Protection Board has issued Guidelines on Personal Data Breach Notification (9/2022) and Examples regarding Personal Data Breach Notification (1/2021).

Controllers in certain sectors may be required to inform sectoral regulators of any breach, for example, financial services firms may be required to inform the Danish Financial Supervisory Authority (Finanstilsynet) of any breach.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The GDPR contains a restriction on transborder dataflows. This restriction does not apply if the transfer is to a whitelisted country.

Transfers can be made: (i) pursuant to a set of Standard Contractual Clauses; (ii) pursuant to binding corporate rules; (iii) to an importer who has signed up to an approved code or obtained an approved certification; or (iv) where otherwise approved by the relevant supervisory authority. However, following the decision in Schrems II (C-311/18) any transfer made on this basis must be subject to a transfer impact assessment of the laws of the relevant third country and supplemented by supplementary protections where necessary.

The European Data Protection Board has issued Recommendation on European Essential Guarantees for surveillance measures (2/2020) and a Recommendation on measures that supplement transfer tools (1/2020) to help conduct this transfer impact assessment. The European Commission has also issued an FAQ on the new Standard Contractual Clauses.

Transfers are also possible if an individual derogation applies. These derogations allow a transfer if it: (i) is made with the data subject’s explicit consent; (ii) is necessary for the performance of a contract with, or in the interests of, the data subject; (iii) is necessary or legally required on important public interest grounds, or for legal claims; (iv) is necessary to protect the vital interests of the data subject; (v) is made from a public register; or (vi) is made under the so-called minor transfer exemption. 

The European Data Protection Board has issued Guidelines on derogations applicable to international transfers (2/2018). Finally, the European Data Protection Board has issued Guidelines on the interplay between Article 3 and international transfers (2/2018) to help identify when a transfer takes place.

The Ministry of Justice, in collaboration with the appropriate minister, has the authority to issue an Executive Order determining that personal data processed in specific IT systems may only be stored in Denmark. This provision is known as the new war rule. The provision should be limited to personal data processed as part of public administration and the information must be of particular interest for a foreign power. In particular, the provision is expected to apply to at least major national systems such as the CPR register, particular tax systems, and some other special registers, and public e-mailing systems. The Minister of Justice has issued an Executive Order number 1104 of 30 June 2020 and modified by Executive Order number 220 of 11 February 2022. This Executive Order contains a list of the specific IT systems for which data may only be stored in Denmark, together with guidance setting out when the purchase of new IT systems must be assessed by the Ministry of Justice to determine if such systems should be added to the list.

Notification and approval of national regulator (including notification of use of Standard Contractual Clauses)

In general, there is no need for prior approval from a supervisory authority. However, this depends on the justification for the transfer. 

For example, there will be no obligation to get approval for the use of Standard Contractual Clauses (though it is possible some supervisory authorities may want to be notified of their use). In contrast, it will be necessary to get approval to rely on binding corporate rules, and the supervisory authority must be informed of transfers made using the minor transfers exemption.

Use of binding corporate rules

The GDPR places binding corporate rules on a statutory footing. It will be possible to obtain authorisation from one supervisory authority (subject to approval through the consistency mechanism) that will cover transfers from anywhere in the EU. 

_____________________________________________________________________ Top

Enforcement

Fines

The GDPR is intended to make data protection a boardroom issue. It introduces an antitrust-type sanction regime with fines of up to 4% of annual worldwide turnover or €20m, whichever is the greater. These fines apply to breaches of many of the provisions of the GDPR, including failure to comply with the six general data quality principles or carrying out processing without satisfying a condition for processing personal data.

A limited number of breaches fall into a lower tier and so are subject to fines of up to 2% of annual worldwide turnover or €10m, whichever is the greater. Failing to notify a personal data breach or failing to put an adequate contract in place with a processor fall into this lower tier.

Fines can only be imposed where there is an intentional or negligent infringement of the GDPR, see Deutsche Wohnen (C-807/21).

The EDPB has published Guidelines on the calculation of administrative fines (04/2022).

Imprisonment

Fines are issued by the Danish courts. However, the Danish Data Protection Agency can issue a notice under the Danish Data Protection Act based on practices established by the Danish courts. As it can take years to create such a practice, we do not expect the Danish Data Protection Agency to issue notices in the short term.

Violation of the GDPR and of the Danish Data Protection Act also constitutes a criminal offence, which is punishable by imprisonment of up to six months.

Compensation

Data subjects have a right to compensation in respect of material and non-material damage. This requires more than a mere infringement of the GDPR and there must be actual material or non-material damage, however there is no minimum threshold of seriousness before compensation is available, see Österreichische Post (C-300/21). 

Other powers

Regulators will have a range of other powers and sanctions at their disposal. This includes investigative powers, such as the ability to demand information from controllers and processors, and to carry out audits. They will also have corrective powers enabling them to issue warnings or reprimands, to enforce an individual’s rights and to issue a temporary or permanent ban on processing

The Data Protection Act will give the Agency the ability to exercise these powers through information notices, assessment notices and enforcement notices.

Practice

The most significant fines are set out below:

  • The Danish Data Protection Agency has in April 2022 prosed a fine of €1.3m against a Danish bank, Danske Bank. . The bank self-reported having a problem with deleting personal data to the Danish Data Protection Agency. Subsequent to this, the Danish Data Protection Agency initiated a case against the bank. The Danish Data Protection Agency discovered that the bank had failed to maintain procedures for deletion and storage of personal data, and further the bank had failed to perform manual deletion of personal data within 400 systems. The bank could not demonstrate the existence of these procedures, as required by the GDPR. The bank had therefore failed to demonstrate compliance with the principles of storage and purpose limitation. The case has yet to be determined by the court.
  • The City Court of Roskilde has in March 2022 fined Lejre Municipality €7,000 for security failures. This is the first time a public authority is fined by the courts for a violation of the GDPR. In particular, the case was about a lack of access control to minutes of meetings containing sensitive personal data. Minutes of meetings were uploaded to the Municipality’s employee portal, where several employees had access. In the judgement, the Court emphasised the scope and the nature of the sensitive personal data, as well as on the number of persons who had unauthorised access to the data over a long period of time.
  • The Danish Data Protection Agency has in July 2020 proposed that Arp Hansen Hotel Group A/S be fined €147,800 for failing to delete approximately 500,000 customer profiles in accordance with the company’s deletion deadlines. In September 2023, the Eastern High Court settled the appeal case and imposed a fine of €134,200 to the hotel group. This is the largest fine ever imposed by the Danish courts.
  • The Danish Data Protection Agency has in June 2019 proposed a fine of €200,850 to the furniture company IDdesign A/S for processing the personal data of approximately 385,000 customers for longer periods than necessary for the purposes for which, they were being processed. In addition, the company had not established retention schedules for a new CRM system and failed to delete data in accordance with retention schedules for its old CRM system. In February 2021, the City Court in Aarhus fined IDdesign A/S €13,500, which was a significantly smaller fine than what the Prosecution had claimed. The fine was determined on the basis of the company's turnover alone and not on the basis of the worldwide turnover of the entire group, which the Danish Data Protection Agency had prepared for. The judgment was appealed by the Public Prosecutor to the High Court of Western Denmark, which is now hearing the criminal case. In connection, the High Court of Western Denmark has decided to refer a question to the Court of Justice of the European Union concerning the interpretation of Article 83(5) of the GDPR.
  • The Danish Data Protection Agency has in March 2019 proposed a fine of €160,000 to the taxi company Taxa 4x35 for retaining nearly 8.9 million records of taxi journeys, which contained customer telephone numbers for three years longer than necessary. The company deleted customer names from records after two years but retained telephone numbers for five years. The City Court of Frederiksberg imposed a fine of €13,500. The case has been appealed by the prosecution and a new trial date is yet to be set.
  • In a case against the Danish IT company, Netcompany, the Danish Data Protection Agency has in January 2024 proposed that Netcompany be fined no less than €2,013,000 million for failing to comply with the GDPR in several instances, as Netcompany as controller had not implemented appropriate security measures in connection with the development of the IT system Mit.dk. This included not incorporating privacy by design in the system and not having prepared an impact assessment in connection with the development of mit.dk.
  • In February 2024 the Danish Data Protection Agency proposed a fine of €202.000 to the private hospital Capio A/S for failing to comply with the GDPR principle of accountability. The hospital had not been able to ensure and demonstrate that personal data was processed for lawful and reasonable purposes and in a manner that ensures adequate security for the Personal Data in question, even if the hospital had a third party as the processor.

Other enforcement action:

In addition to the above cases where the Danish Data Protection Agency has proposed a fine and handed the cases over to the Danish police to peruse the cases at the Danish courts, the Danish Data Protection Agency has issued a number of rulings under the GDPR, which has led to criticism (and no proposed fine).

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

Article 13 of the Privacy and Electronic Communications Directive regarding unsolicited direct marketing has been implemented by Section 10 of the Marketing Practices Act (Consolidated Act No. 866 of 15 June 2022).

The other provisions of the Privacy and Electronic Communications Directive have been implemented by the Danish Act on Electronic Communications and Network Services No. 128 of 7 February 2014. This Act is amended by Act No. 741 of 1 June 2015, Act No. 1567 of 15 December 2015, Act No. 203 of 28 February 2017, Act No. 1676 of 26 December 2017, Act No. 503 of 23 May 2018, Act No. 1531 of 18 December 2018, Act No. 1830 of 8 December 2020, Act No. 285 of 27 February 2021, Act No. 1176 of 8 June 2021, Act No. 2601 of 28 December 2021, Act No. 2605 of 18 December 2018, and Act No. 291 of 8 March 2022.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

The Danish Executive Order on Cookies No. 1148 of 9 December 2011 entered into force on 14 December 2011. Revised guidance to the Executive Order was published in April 2013 by the supervisory authority – The Danish Business Authority. In addition hereto, the Danish Business Authority has published further guidance directed to public authorities in December 2019, which in practice is used as guidance for the measures necessary for private institutions and businesses as well.

The Executive Order requires prior specific and informed consent for the use of cookies unless: (i) the storage has the sole purpose of carrying out communications via an electronic communications network; or (ii) the cookie is strictly necessary for the provision of a service to a user and the user has specifically requested such service.

The consent of the user to the storing of cookies must be an active consent. The user must actively tick a consent box for each type of cookie used on the website, e.g. marketing, preferences and security, for the consent to be sufficiently “active”, hence, pre-ticked boxes or continued use of the website cannot be considered sufficient consent by the user. Such active consent must be provided prior to any cookies being loaded by the website. It is also necessary to inform users of the use of cookies, the purpose of such use, the duration of the cookies and the name of the entity/person storing the cookies, and the users should be offered the right to refuse the use of cookies and change their consent at any time. The information provided must be clear and sufficient. The website owner may use a layered approach, where a short version of the necessary basic information is provided to the user, e.g. in a banner, with a link to the owner’s entire cookie policy.

Regulatory guidance on the use of cookies

The Danish Business Authority issued general cookie guidelines on 15 April 2013 and specific guidelines for public authorities in December 2019 in order to clarify some of the many questions raised in relation to the Danish Executive Order on Cookies. The guidelines for public authorities are in practice used by private institutions and business as well. The cookie guidelines also contain advice on practical matters such as how to identify which cookies are used on a website.

As of December 2022, the compliance and guidance with the Executive Order on Cookies is supervised by the Agency for Digital Government.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Pursuant to the Danish Marketing Practices Act, a trader must not approach anyone (i.e. consumers or other traders) by means of electronic mail (e-mail, SMS, social media), an automated calling system or a facsimile machine for the purposes of direct marketing unless the party concerned has given its prior consent.

The requirements for consent under the Danish Marketing Practices Act are identical to the consent requirements of the GDPR. Consequently, the consent must be freely given, specific and informed. Where subsequent marketing communications are sent, the customer must be informed of the right to withdraw the consent.

The consent may not be obtained by tacit acceptance or in response to the customer’s inaction. This means that ‘pre-ticked’ acceptance boxes in order confirmations, in connection with payments and the like from which it appears that the costumer gives consent to receive marketing material will not meet the requirements in the Danish Marketing Practices Act. Also, the trader must allow free and easy revocation of consent.

Conditions for direct marketing by e-mail to corporate subscribers

The Danish Marketing Practices Act’s prohibition against unsolicited direct marketing by electronic means applies to both business-to-consumer and business-to-business. Please see conditions regarding consent described above.

Exemptions and other issues

It is permitted to send electronic mail to individual subscribers and corporate subscribers for the purposes of direct marketing if the similar products and services exemption applies.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

It is not permitted to make unsolicited direct marketing calls to individual subscribers unless the subscriber has notified the caller of his consent to this approach.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

It is permitted to make unsolicited direct marketing calls to corporate subscribers unless these have indicated, that they do not wish to receive such unsolicited direct marketing calls for example via the Danish Company Register.

Exemptions and other issues

It is permitted to make unsolicited direct marketing calls to an individual subscriber (consumer) if the call concerns: (i) the ordering of books; (ii) the taking out of a subscription to a newspaper, a magazine or a gazette; (iii) the procurement of insurance contracts; or (iv) the subscription to certain kinds of rescue assistance services (for example, a roadside assistance subscription) or the transport of patients. However, the caller must still investigate whether the person concerned has declined communications for marketing purposes, for example a “Robinson list” prepared each quarter by the Central Office of Personal Registration.

_____________________________________________________________________ Top