Skip to main content

The Danish DPA

Denmark’s Data Protection Act (DPA) sets out rules for collecting, processing, storing, and using personal data. The Danish DPA incorporates GDPR into Danish law and supplements it, with amendments and provisions for ministers to lay down more detailed rules.

The Danish DPA applies to businesses, public authorities, and other organisations. It gives people the right to access their personal data and to request correction or deletion of that data. The law also requires organisations to implement appropriate technical and organisational measures to ensure the security of personal data.

Let’s look at some key points from the Act. Note that only the Danish version of the text has legal validity. For more information, read the DPA in Danish, or consult a Danish legal professional.

Scope of the Danish DPA

First, find out if the rules in the Danish Data Protection Act apply to your business. Make sure you comply with the Act if:

  • Your business is established in Denmark.
  • You handle data belonging to Danish diplomatic representations.
  • You offer goods or services to people in Denmark.
  • You monitor individuals who are in Denmark.

The Data Protection Act applies to all automatic data processing of personal data, and to any other non-automatic processing of personal data that will be contained in a filing system. Often, when we talk about data protection laws, we focus on data you store electronically or in cloud and email environments. However, the rules we will discuss from the Act apply to both electronic records and structured hard copy records.

Definitions in common in GDPR and Denmark's DPA

You will notice similar language in Denmark’s DPA and GDPR. Because DPA is a companion to the GDPR, the two have the same definitions for the following important terms:

  • Personal data is any information relating to an identified or identifiable natural person.
  • Special categories of personal data* include data related to race, religion, sexuality, health, and genetics.
  • Processing data includes anything you do with people’s data, including storing, hosting, accessing or deleting it.
  • A data controller alone or jointly with others, determines the purposes and means of the processing of personal data.
  • A data processor processes personal data on behalf of the controller, and acts on the instructions of the controller.
  • A data subject is a living, natural person whose personal data is being processed

*In Denmark, information about criminal offences is dealt with separately and is subject to even tighter controls. Personal registration numbers (CPR numbers) are also covered separately and have their own specific requirements for handling.

Did you know that organisations that do not comply with regulations like GDPR face significantly higher costs when data breaches occur?

Key rules for data protection in Denmark

The Danish DPA sets out rules for how you should collect, store and share people’s personal data. Here are a few key rules for data protection in Denmark:

Rules for data collection

When collecting someone’s data,

  • Only collect personal data for specified, explicit and legitimate purposes.
  • Do not process it further in a manner that is incompatible with those purposes.
  • When deciding whether processing the data for another purpose is compatible, take into account:

a) the purposes for which you collected the personal data and the purposes of further processing;
b) the context in which you collected the data, in particular your relationship with the data subjects;
c) the nature of the personal data, especially if you will process special categories of personal data or data about criminal convictions and offences.
d) the possible consequences for data subjects.
e) the existence of appropriate safeguards like encryption or pseudonymisation.

Rules for data retention

The Data Protection Act includes GDPR’s principle of storage limitation, and therefore, has the same rules about data retention. Therefore, you must delete personal data when you don’t need it anymore for the purpose you collected it for.

Make sure you:

  • Do not keep personal data longer than you need it.
  • Set internal policies with a standard data retention period.
  • Be ready to justify why you need to keep the data for that long.
  • Make sure your employees understand your data retention policy.
  • Be ready to erase the data sooner if the data subject asks you to.
  • Inventory your data regularly to make sure you are compliant.

Remember, you can keep personal data longer if you only use it for public interest archiving, scientific, historical, or statistical purposes.

Rules for sharing/disclosing data

You should not disclose personal data to any third party unless:

  • The data subject has given explicit consent; or
  • Disclosure is necessary to safeguard private or public interests. These interests must clearly override the interests of secrecy, including the interests of the data subject; or
  • Disclosure is necessary for the authorities to perform their activities or make a decision; or
  • Disclosure is necessary for the performance of tasks by a person or an enterprise for the authorities.

Data concerning debts to public authorities may be disclosed to credit information agencies (with some exceptions).

Points of difference between GDPR and Denmark's DPA

GDPR and Denmark’s DPA are closely tied and meant to be read together. However, GDPR does allow member states to make their own amendments and exceptions. Let’s look at some of the ones Denmark makes in the DPA:

DPA requires preapproval for some types of data processing

The GDPR has no requirement to notify regulators before you begin processing personal data.  However, the Data Protection Act does require you to get authorisation first for certain types of data processing.  In Denmark, you need DPA’s preapproval before processing personal data:

  • to warn others against having business relations or accepting employment with a person; or
  • for commercial disclosure of data for the assessment of financial standing and creditworthiness; or
  • exclusively for the purpose of operating legal information systems

Use the application forms on Datatilsynet’s website when applying for approval from the Data Protection Agency. The website has also published guidance on how to determine whether a type of business or business activity qualifies as a warning register or credit information agency.

DPA lets children consent to data processing at 13

Children’s personal data gets special protection under GDPR and Denmark’s DPA. This is because they may be less aware of the risks and consequences of sharing their personal data with you.

GDPR requires consent from a parent to collect personal data to give online services to a child under 16 years old. It allows for countries to reduce this age to 13 if they choose.

The Data Protection Act does this for children in Denmark. Therefore, the minimum age at which a child can provide valid consent for use of online services is reduced to 13 years old.

However, you should take the maturity of the child into account when assessing whether a child under the age of 18 can provide consent. Datatilsynet guidelines on consent recommend that a child aged 15 will generally be sufficiently mature to provide consent on their own.

Note that the rules for consent for children’s data apply whenever you use their data to market services to them or to create user profiles for them. On the other hand, you may not need a parent/guardian’s consent to provide preventative or counselling services to children, for example.

Danish employees' personal data

Denmark adopts special national rules about employees’ personal data. Employers can process their employees’ personal data to comply with their legal obligations or rights set out in applicable law or collective bargaining agreements. This applies to both non-special categories of personal data as well as special categories of personal data.

Additionally, the Data Protection Act allows processing when needed to pursue a legitimate interest that arises from other law or collective agreements, as long as doing so does not override the interests, rights and freedoms of the data subject. This applies to both regular personal data as well as special categories of personal data.

You can use consent as a legal basis to collect and process data in an employment context. The consent should be freely given and meet all the usual consent requirements set out in GDPR.

There are some exceptions to data subject rights for employees. An employee requesting access to their personal information is not entitled to a copy of all communications they sent as part of their job.

Note that you must get special authorisation from the Agency before using someone’s data to warn others against entering into business or employment relations with them.

Start your privacy cleanup with the big picture

A GDPR Risk report gives you a complete overview of the privacy risk in your Outlook, OneDrive, SharePoint, local drive and/or network drive. The report is based on a scan with the Data Discovery tool DataMapper.

Identification numbers in Denmark (CPR)

The Data Protection Act addressed ID numbers separately. In Denmark, public authorities can process ID numbers. But DPA states that private companies can only process identification numbers if:

  • This follows from the law
  • The data subject gives consent
  • You will use it for scientific or statistical purposes

Disclose an ID number only if it is a natural element of the ordinary operation of enterprises and the disclosure is of decisive importance for unique identification of the data subject; or if a public authority demands it. Do not make an identification number public unless consent has been given in accordance with Article 7 of the General Data Protection Regulation.

Special DPA rules for credit ratings agencies

The Danish DPA has specific rules for credit rating agencies. These rules restrict the categories of personal data that can be processed by credit rating agencies when giving someone a credit rating.

Credit agencies should follow these rules:

  • Only process the data categories you need to evaluate the person’s financial standing.
  • Do not process special categories of personal data, or information about criminal convictions or offenses.
  • Do not process data over five years old that would disqualify a person from getting credit, unless the data is of key importance to the person’s credit rating.
  • Only communicate information about someone’s financial standing or credit rating to third parties in writing. (Unless the data is aggregated and the receiver’s name and address are stored for at least six months first.)
Data about criminal offences

GDPR Article 10 states you that only process criminal data under the control of official authorities. However, it allows processing if the Member State’s law authorises it, providing for appropriate safeguards for the rights and freedoms of data subjects.

Denmark’s DPA allows you to process personal data relating to criminal convictions or offences if:

  • you are a public authority; or
  • you process the data under the control of official authority; or
  • the data subject gives explicit consent; or
  • processing is necessary for the purposes of pursuing a legitimate interest and such interest clearly overrides the interests of the data subject.

You should not share information on criminal offences with any third party unless:

  • the data subject has given explicit consent to disclose it; or
  • you share it to safeguard private or public interests which clearly override the interests of secrecy, including the data subject’s interests; or
  • the authorities need it to perform their activities or make a decision; or
  • disclosure is necessary for a person or enterprise to perform tasks for a public authority.
Data about a deceased person

In legal terms, the GDPR does not apply to a person’s data once they have died. However, Denmark’s DPA amends this by stating that its rules and GDPR’s will apply to the data of a deceased person for 10 years following the person’s death. Further, it gives the Minister of Justice the authority to shorten or lengthen that period.

Data Subject Rights exemptions in Denmark

Denmark’s Data Protection Act incorporates the GDPR’s data subject rights:

  • The right to be informed
  • The right to access
  • The right to object
  • The right to erasure and blocking
  • The right to rectification
  • The right to file a complaint
  • The right to damages
  • The right to data portability

Generally, people exercise these rights by sending you data requests or DSARs. You must respond to all such requests promptly, usually within 30 days. But this can be a challenge.

Since GDPR and DPA have no formal requirements on how a person should make their requests, by phone, by email etc., it’s easy to let them slip through the cracks. For this reason, we recommend setting up a streamlined way for requests to come in so you won’t miss one and end up with a fine.

Often, responding to data requests means sending the person some or all of their data back or giving them other info about their data and how you use it. The GDPR does not put a lot of limitations on the requests people can make. However, the Data Protection Act does list some exceptions where you may not have to comply with data requests. For example, the data subject’s interest in their information may be overridden by:

  • Essential considerations of private interests, including the data subject’s interests.
  • Essential considerations of public interests.

And you may also be exempt from fulfilling some GDPR rights if you process the data:

  • On behalf of a public administrative authority in the course of its administrative procedures.
  • On behalf of courts acting in their judicial capacity.
  • Exclusively for scientific or statistical purposes; or
  • If giving the person access to the data would impede the investigation of criminal offences.
Other exemptions

Danish law contains several exemptions and exceptions for journalists, law-enforcement and crime prevention, parliamentary work, and court proceedings.

These exemptions are for the interest of freedom of speech, public safety, public health and other private and public interests. These interests may outweigh a person’s personal rights to secrecy and access to information.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Administrative duties under the Danish DPA

Most privacy regulations also require a significant amount of administrative work to show you protect personal data. This includes keeping documentation of your data processing activities, performing Data Protection Impact Assessments, and more. The Danish DPA is no different. So, let’s review some of these requirements.

Denmark's DPO requirements

A Data Protection Officer or DPO is the person in charge of data privacy and compliance for your company. Denmark’s rules and requirements (which companies need a DPO, who qualifies as a DPO, what that person’s duties are, etc.) align with the GDPR. However, Denmark does have one additional requirement for DPOs. Under the Danish Data Protection Act, a DPO also has a duty of secrecy. They cannot disclose or exploit any personal data they access to perform their job.

Data Protection Impact Assessments (DPIAs)

Before your company begins any data processing activity that could be high-risk, you must perform a data protection impact assessment or DPIA. The Danish Data Protection Agency has published its own list of high-risk processing activities which require a privacy impact assessment.

Record of processing activities

The GDPR requires a record of all data processing activities to be kept. Denmark’s DPA has the same requirement. Therefore, make sure you create a detailed, structured document that lists details about how you process data. The record should include your purposes for processing personal data, what categories of personal data you collect/store/use, and more.

Privacy notice requirements

Post a privacy notice/privacy policy explaining how people’s personal data will be processed. Make sure it is complete, clear, and easy to understand. Provide information on how to make complaints and how to contact Denmark’s supervisory authority, Datatilsynet.

Note that Data Protection Act states that there will be no duty to provide a privacy notice if the data subject’s interests in the information are overridden by crucial private interests (e.g., whistleblowing reports and other internal investigations).

The data protection authority in denmark

The Data Protection Act establishes an agency for enforcing its rules. Denmark’s independent supervisory authority is Datatilsynet. In short, the agency’s responsibility is to ensure that organisations in Denmark comply with the Act and protect individuals’ privacy rights. It has the power to issue fines, sanctions and even imprisonment of up to six months for non-compliance with the law.

According to its website, Datatilsynet will:

  • Examine complaints from individuals in relation to potential infringements of data protection law.
  • Conduct inquiries and investigations regarding infringements of data protection legislation and take enforcement action where necessary.
  • Promote awareness amongst members of the public of their rights to have their personal information protected.
  • Drive improved awareness and compliance through the publication of high-quality guidance and proactive engagement with public and private sector organisations.
  • Through consultations with organisations, assist in identifying risks to personal data protection.
  • Cooperate with other data protection authorities.
Contact information:

Datatilsynet
Carl Jacobsens Vej 35
DK-2500 Valby
Denmark
Phone +45 33 19 32 00
www.datatilsynet.dk

Help to comply with Denmark's DPA

Do you need help complying with the Danish Data Protection Act, GDPR and other privacy regulations? At Safe Online, we develop IT solutions that facilitate the processing of personal data. Our solutions are:

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

GUIDE

How to handle sensitive personal data

GUIDE

How to find personal data with datamapping tool

GUIDE

How to prepare for a data audit