The Danish DPA
Denmark’s Data Protection Act (DPA) sets out rules for the collection, processing, storage, and use of personal data. The Danish DPA incorporates GDPR into Danish law and supplements it, with amendments and provisions for ministers to lay down more detailed rules.
The Danish DPA applies to businesses, public authorities, and other organizations. It gives people the right to access their personal data and to request correction or deletion of that data. The law also requires organizations to implement appropriate technical and organizational measures to ensure the security of personal data.
Let’s look at some key points from the Act. Note that only the Danish version of the text has legal validity. For more information, read the DPA in Danish, or consult a Danish legal professional.
Scope of the Danish DPA
First, find out if the rules in the Data Protection Act apply to your business. Make sure you comply with the Act if:
- Your business is established in Denmark.
- You handle data belonging to Danish diplomatic representations.
- You offer goods or services to people in Denmark.
- You monitor individuals who are in Denmark.
The Data Protection Act applies to all automatic data processing of personal data, and to any other non-automatic processing of personal data that will be contained in a filing system. Often, when we talk about data protection laws, we focus on data you store electronically or in cloud and email environments. However, the rules we will discuss from the Act apply to both electronic records and structured hard copy records.
Definitions in common in GDPR and Denmark's DPA
You will notice similar language in Denmark’s DPA and GDPR. Because DPA is a companion to the GDPR, the two have the same definitions for the following important terms:
- Personal data is any information relating to an identified or identifiable natural person.
- Special categories of personal data* include data related to race, religion, sexuality, health, and genetics.
- Processing data includes anything you do with people’s data, including storing, hosting, accessing or deleting it.
- A data controller alone or jointly with others, determines the purposes and means of the processing of personal data.
- A data processor processes personal data on behalf of the controller, and acts on the instructions of the controller.
- A data subject is a living, natural person whose personal data is being processed
*In Denmark, information about criminal offenses is dealt with separately and is subject to even tighter controls. Personal registration numbers (CPR numbers) are also covered separately and have their own specific requirements for handling.
Key rules for data protection in Denmark
The Danish DPA sets out rules for how you should collect, store and share people’s personal data. Here are a few key rules for data protection in Denmark:
Rules for data collection
When collecting someone’s data,
- Only collect personal data for specified, explicit and legitimate purposes.
- Do not process it further in a manner that is incompatible with those purposes.
- When deciding whether processing the data for another purpose is compatible, take into account:
a) the purposes for which you collected the personal data and the purposes of further processing;
b) the context in which you collected the data, in particular your relationship with the data subjects;
c) the nature of the personal data, especially if you will process special categories of personal data or data about criminal convictions and offenses.
d) the possible consequences for data subjects.
e) the existence of appropriate safeguards like encryption or pseudonymisation.
Rules for data retention
The Data Protection Act includes GDPR’s principle of storage limitation, and therefore, has the same rules about data retention. Therefore, you must delete personal data when you don’t need it anymore for the purpose you collected it for.
Make sure you:
- Do not keep personal data longer than you need it.
- Set internal policies with a standard data retention period.
- Be ready to justify why you need to keep the data for that long.
- Make sure your employees understand your data retention policy.
- Be ready to erase the data sooner if the data subject asks you to.
- Inventory your data regularly to make sure you are compliant.
Remember, you can keep personal data longer if you only use it for public interest archiving, scientific, historical, or statistical purposes.
Rules for sharing/disclosing data
You should not disclose personal data to any third party unless:
- The data subject has given explicit consent; or
- Disclosure is necessary to safeguard private or public interests. These interests must clearly override the interests of secrecy, including the interests of the data subject; or
- Disclosure is necessary for the authorities to perform their activities or make a decision; or
- Disclosure is necessary for the performance of tasks by a person or an enterprise for the authorities.
Data concerning debts to public authorities may be disclosed to credit information agencies (with some exceptions).
Points of difference between GDPR and Denmark's DPA
GDPR and Denmark’s DPA are closely tied and meant to be read together. However, GDPR does allow member states to make their own amendments and exceptions. Let’s look at some of the ones Denmark makes in the DPA:
DPA requires preapproval for some types of data processing
The GDPR has no requirement to notify regulators before you begin processing personal data. However, the Data Protection Act does require you to get authorization first for certain types of data processing. In Denmark, you need DPA’s preapproval before processing personal data:
- to warn others against having business relations or accepting employment with a person; or
- for commercial disclosure of data for the assessment of financial standing and creditworthiness; or
- exclusively for the purpose of operating legal information systems
Use the application forms on Datatilsynet’s website when applying for approval from the Data Protection Agency. The website has also published guidance on how to determine whether a type of business or business activity qualifies as a warning register or credit information agency.
DPA lets children consent to data processing at 13
Children’s personal data gets special protection under GDPR and Denmark’s DPA. This is because they may be less aware of the risks and consequences of sharing their personal data with you.
GDPR requires consent from a parent to collect personal data to give online services to a child under 16 years old. It allows for countries to reduce this age to 13 if they choose.
The Data Protection Act does this for children in Denmark. Therefore, the minimum age at which a child can provide valid consent for use of online services is reduced to 13 years old.
However, you should take the maturity of the child into account when assessing whether a child under the age of 18 can provide consent. Datatilsynet guidelines on consent recommend that a child aged 15 will generally be sufficiently mature to provide consent on their own.
Note that the rules for consent for children’s data apply whenever you use their data to market services to them or to create user profiles for them. On the other hand, you may not need a parent/guardian’s consent to provide preventative or counseling services to children, for example.
Danish employees' personal data
Denmark adopts special national rules about employees’ personal data. Employers can process their employees’ personal data to comply with their legal obligations or rights set out in applicable law or collective bargaining agreements. This applies to both non-special categories of personal data as well as special categories of personal data.
Additionally, the Data Protection Act allows processing when needed to pursue a legitimate interest that arises from other law or collective agreements, as long as doing so does not override the interests, rights and freedoms of the data subject. This applies to both regular personal data as well as special categories of personal data.
You can use consent as a legal basis to collect and process data in an employment context. The consent should be freely given and meet all the usual consent requirements set out in GDPR.
There are some exceptions to data subject rights for employees. An employee requesting access to their personal information is not entitled to a copy of all communications they sent as part of their job.
Note that you must get special authorization from the Agency before using someone’s personal data to warn others against entering into business or employment relations with them.
Identification numbers in Denmark (CPR)
The Data Protection Act addressed ID numbers separately. In Denmark, public authorities can process ID numbers. But DPA states that private companies can only process identification numbers if:
- This follows from the law
- The data subject gives consent
- You will use it for scientific or statistical purposes
Disclose an ID number only if it is a natural element of the ordinary operation of enterprises and the disclosure is of decisive importance for unique identification of the data subject; or if a public authority demands it. Do not make an identification number public unless consent has been given in accordance with Article 7 of the General Data Protection Regulation.
Special DPA rules for credit ratings agencies
The Danish DPA has specific rules for credit rating agencies. These rules restrict the categories of personal data that can be processed by credit rating agencies when giving someone a credit rating.
Credit agencies should follow these rules:
- Only process the data categories you need to evaluate the person’s financial standing.
- Do not process special categories of personal data, or information about criminal convictions or offenses.
- Do not process data over five years old that would disqualify a person from getting credit, unless the data is of key importance to the person’s credit rating.
- Only communicate information about someone’s financial standing or credit rating to third parties in writing. (Unless the data is aggregated and the receiver’s name and address are stored for at least six months first.)
Data about criminal offenses
GDPR Article 10 states you that only process criminal data under the control of official authorities. However, it allows processing if the Member State’s law authorizes it, providing for appropriate safeguards for the rights and freedoms of data subjects.
Denmark’s DPA allows you to process personal data relating to criminal convictions or offenses if:
- you are a public authority; or
- you process the data under the control of official authority; or
- the data subject gives explicit consent; or
- processing is necessary for the purposes of pursuing a legitimate interest and such interest clearly overrides the interests of the data subject.
You should not share information on criminal offenses with any third party unless:
- the data subject has given explicit consent to disclose it; or
- you share it to safeguard private or public interests which clearly override the interests of secrecy, including the data subject’s interests; or
- the authorities need it to perform their activities or to make a decision; or
- disclosure is necessary for a person or enterprise to perform tasks for a public authority.
Data about a deceased person
In legal terms, the GDPR does not apply to a person’s data once they have died. However, Denmark’s DPA amends this by stating that its rules and GDPR’s will apply to the data of a deceased person for 10 years following the person’s death. Further, it gives the Minister of Justice the authority to shorten or lengthen that period.
Data Subject Rights exemptions in Denmark
Denmark’s Data Protection Act incorporates the GDPR’s data subject rights:
- The right to be informed
- The right to access
- The right to object
- The right to erasure and blocking
- The right to rectification
- The right to file a complaint
- The right to damages
- The right to data portability
Generally, people exercise these rights by sending you data requests or DSARs. You must respond to all such requests promptly, usually within 30 days. But this can be a challenge.
Since GDPR and DPA have no formal requirements on how a person should make their requests, by phone, by email etc., it’s easy to let them slip through the cracks. For this reason, we recommend setting up a streamlined way for requests to come in so you won’t miss one and end up with a fine.
Often, responding to data requests means sending the person some or all of their data back or giving them other info about their data and how you use it. The GDPR does not put a lot of limitations on the requests people can make. However, the Data Protection Act does list some exceptions where you may not have to comply with data requests. For example, the data subject’s interest in their information may be overridden by:
- Essential considerations of private interests, including the data subject’s interests.
- Essential considerations of public interests.
And you may also be exempt from fulfilling some GDPR rights if you process the data:
- On behalf of a public administrative authority in the course of its administrative procedures.
- On behalf of courts acting in their judicial capacity.
- Exclusively for scientific or statistical purposes; or
- If giving the person access to the data would impede the investigation of criminal offenses.
Danish law contains several exemptions and exceptions for journalists, law-enforcement and crime prevention, parliamentary work, and court proceedings.
These exemptions are for the interest of freedom of speech, public safety, public health and other private and public interests. These interests may outweigh a person’s personal rights to secrecy and access to information.
Administrative duties under the Danish DPA
Most privacy regulations also require a significant amount of administrative work to show you protect personal data. This includes keeping documentation of your data processing activities, performing Data Protection Impact Assessments, and more. The Danish DPA is no different. So, let’s review some of these requirements.
Denmark's DPO requirements
A Data Protection Officer or DPO is the person in charge of data privacy and compliance for your company. Denmark’s rules and requirements (which companies need a DPO, who qualifies as a DPO, what that person’s duties are, etc.) align with the GDPR. However, Denmark does have one additional requirement for DPOs. Under the Danish Data Protection Act, a DPO also has a duty of secrecy. They cannot disclose or exploit any personal data they access to perform their job.
Data Protection Impact Assessments (DPIAs)
Before your company begins any data processing activity that could be high-risk, you must perform a data protection impact assessment or DPIA. The Danish Data Protection Agency has published its own list of high-risk processing activities which require a privacy impact assessment.
Record of processing activities
The GDPR requires a record of all data processing activities to be kept. Denmark’s DPA has the same requirement. Therefore, make sure you create a detailed, structured document that lists details about how you process data. The record should include your purposes for processing personal data, what categories of personal data you collect/store/use, and more.
Privacy notice requirements
Note that Data Protection Act states that there will be no duty to provide a privacy notice if the data subject’s interests in the information are overridden by crucial private interests (e.g., whistleblowing reports and other internal investigations).
The data protection authority in denmark
The Data Protection Act establishes an agency for enforcing its rules. Denmark’s independent supervisory authority is Datatilsynet. In short, the agency’s responsibility is to ensure that organizations in Denmark comply with the Act and protect individuals’ privacy rights. It has the power to issue fines, sanctions and even imprisonment of up to six months for non-compliance with the law.
According to its website, Datatilsynet will:
- Examine complaints from individuals in relation to potential infringements of data protection law.
- Conduct inquiries and investigations regarding infringements of data protection legislation and take enforcement action where necessary.
- Promote awareness amongst members of the public of their rights to have their personal information protected.
- Drive improved awareness and compliance through the publication of high-quality guidance and proactive engagement with public and private sector organisations.
- Through consultations with organizations, assist in identifying risks to personal data protection.
- Cooperate with other data protection authorities.
Carl Jacobsens Vej 35
Phone +45 33 19 32 00
Help to comply with Denmark's DPA
Our products were created in Denmark to help small and medium businesses comply with the Danish DPA, GDPR, and other privacy regulations worldwide.