DLA Piper Intelligence

Data Protection
Laws of the World

Law

Denmark
Denmark

Denmark implemented the EU Data Protection Directive 95/46/EC in June 2000 with the Act on Processing of Personal Data (‘Act’).  

By order of the Council, the Danish Act on Processing Personal Data entered into force in Greenland on 1 December 2016 with only a few modifications regarding requirements for processing as part of CCTV monitoring (which did not apply in Greenland) and applicability with regards to the courts of law. Therefore, the Danish Data Protection Act has jurisdiction to supervise the processing of personal data in Greenland subject to the Act.

Last modified 26 Jan 2017
Law
Denmark

Denmark implemented the EU Data Protection Directive 95/46/EC in June 2000 with the Act on Processing of Personal Data (‘Act’).  

By order of the Council, the Danish Act on Processing Personal Data entered into force in Greenland on 1 December 2016 with only a few modifications regarding requirements for processing as part of CCTV monitoring (which did not apply in Greenland) and applicability with regards to the courts of law. Therefore, the Danish Data Protection Act has jurisdiction to supervise the processing of personal data in Greenland subject to the Act.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Any information relating to an identified or identifiable natural person (data subject).

Definition of sensitive personal data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or sex life.

Last modified 26 Jan 2017
Authority

Datatilsynet ('DPA')
borgergade 28, 5

DK 1300 København K

T +45 3319 3200
F +45 3319 3218

Last modified 26 Jan 2017
Registration

Unlike most EU Member States, Denmark does not require a general registration of controllers, processing activities or databases with personal information.

However, data processors established in Denmark who offer electronic processing services must notify the DPA prior to the commencement of such processing operations, notify the DPA. This notification requirement also applies to the processing of personal data which is carried out for the purpose of professional assistance in connection with staff recruitment.

Besides this notification requirement, processing of personal data must be notified by the controller to the DPA if the processing includes sensitive or other purely private data. Such a registration should include the following information:

  • the name and address of the controller, his representative (if any) and the processor (if any)
     
  • the category of processing and its purpose
     
  • a general description of the processing
     
  • a description of the categories of data subjects and of the categories of data relating to them
     
  • the recipients or categories of recipients to whom the data may be disclosed
     
  • intended transfers of data to third countries
     
  • a general description of the security 
     
  • the date of the commencement of the processing, and
     
  • the date of deletion of the data.
Last modified 26 Jan 2017
Data Protection Officers

There is no requirement for organisations to appoint a data protection officer.

Last modified 26 Jan 2017
Collection & Processing

Data controllers may collect and process personal data when any of the following conditions are met:

  • the data subject has given his explicit consent
     
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
     
  • processing is necessary for compliance with a legal obligation to which the controller is subject
     
  • processing is necessary in order to protect the vital interests of the data subject
     
  • processing is necessary for the performance of a task carried out in the public interest
     
  • processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed, or
     
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the data is disclosed, and these interests are not overridden by the interests of the data subject.

Sensitive personal data (as detailed above) may be processed only if:

  • the data subject has given his explicit consent to the processing of such data
     
  • processing is necessary to protect the vital interests of the data subject or of another person where the person concerned is physically or legally incapable of giving his consent
     
  • the processing relates to data which has been made public by the data subject, or
     
  • the processing is necessary for the establishment, exercise or defence of legal claims.

Personal data about purely private matters, may be processed by private entities only if:

  • the data subject has given his explicit consent, or
  • the processing is necessary for the purpose of pursuing a legitimate interest and this interest clearly overrides the interests of the data subject.

Personal data about purely private matters may be disclosed only if:

  • the data subject has given his explicit consent, or

  • the disclosure is necessary for the purpose of pursuing public or private interests, including the interests of the person concerned, which clearly override the interests of secrecy.

Furthermore, the data controller must provide the data subject with the necessary information to fulfil the duty of information, including information about the identity of the controller and the purposes of the processing for which the data is intended and any further information which is necessary having regard to the specific circumstances in which the personal data is collected and/or obtained.

Last modified 26 Jan 2017
Transfer

Data controllers may transfer personal data out of the EU/EEA if any of the following conditions are met:

  • the data subject has given his explicit consent
     
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre contractual measures taken in response to the data subject’s request
     
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party
     
  • the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims
     
  • the transfer is necessary in order to protect the vital interests of the data subject
     
  • the transfer is made from a register which according to law or regulations is open to consultation either by the public in general or by any person who can demonstrate legitimate interests, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case
     
  • the transfer is necessary for the prevention, investigation and prosecution of criminal offences and the execution of sentences or the protection of persons charged, witnesses or other persons in criminal proceedings, or
     
  • the transfer is necessary to safeguard public security, the defence of the realm, or national security.

Furthermore, data controllers may transfer personal data out of the EEA, if the data exporter and the data importer have entered into standard contractual clauses approved by the EU Commission or if Binding Corporate Rules cover the transfer. If the legal basis for the transfer is consent, EU standard contractual clauses, which have not been amended or Binding Corporate Rules, the transfer does not have to be notified to the DPA for approval.*

The DPA may authorise a transfer of personal data to an insecure third country where the controller adduces adequate safeguards with respect to the protection of the rights of the data subject.

* Please note that following the Judgment of the Court of Justice of the European Union on 6 October 2015 in the case of Schrems (C-362/14) the US-EU safe harbor regime is no longer regarded as a valid basis for transferring personal data to the US.  The Privacy Shield framework replaces the US-EU Safe Harbour regime as a basis for transferring personal data to the US. Please refer to DLA Piper’s Privacy Matters blog http://blogs.dlapiper.com/privacymatters/ for more information and insight into the current legislation regarding transfer of personal data to the US.

Last modified 26 Jan 2017
Security

Data controllers must implement appropriate technical and organisational security measures to protect data against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure, abuse or other processing in violation of the provisions laid down in the Act. The same applies to data processors.

Last modified 26 Jan 2017
Breach Notification

There is no mandatory requirement in the Act to report data security breaches or losses to the DPA. However, DPA practice stresses that affected data subjects normally should be informed about breaches.

Last modified 26 Jan 2017
Enforcement

The DPA, which consists of a Council and a Secretary, is responsible for the supervision of all processing operations covered by the Act. If the DPA becomes aware that a data controller is in breach of the Act, the DPA can state their legal opinion.

Furthermore, the DPA can impose fines and a person who violates the Act is liable to a prison sentence of up to four months.

In addition to this, a controller shall compensate for any damage caused by the processing of personal data in violation of the Act.

Last modified 26 Jan 2017
Electronic Marketing

The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (eg an email address is likely to be ‘personal data’ for the purposes of the Act). A company can process data concerning existing customers for marketing of the company’s own products if the processing is necessary for the purposes of the legitimate interests pursued by the company and these interests are not overridden by the interests of the consumer. A company may not disclose data concerning a consumer to a third company for the purpose of marketing or use such data on behalf of a third company for this purpose, unless the consumer has given his explicit consent..

According to the Danish Marketing Practices Act, a trader must not approach anyone by means of electronic mail, an automated calling system or facsimile machine with a view to the sale of products, real property, other property, labour and services unless the party concerned has requested him to do so. If a trader has received a customer’s electronic contact details in connection with the sale of products or services, he may market his own similar products or services to that customer by electronic mail, provided that the customer has the option, free of charge and in an easy manner, of declining this both when giving his contact details to the trader and in the event of subsequent communications.

Changes in the legislation are expected by 1 July 2017 if the bill regarding a new Danish Marketing Practices Act is passed by the Danish Parliament. The changes include easier access for traders to contact customers and other traders.

Last modified 26 Jan 2017
Online Privacy

Directive 2009/136/EC was implemented in the new Danish Act on Electronic Communications Services and Networks which came into force on 25 May 2011 in accordance with the implementation deadline in the Directive.

According to the ‘Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-user Terminal Equipment’, which came into force on 14 December 2011, the use of cookies requires consent. The consent must be freely given and specific. However, this does not imply that consent must be obtained each time a cookie is used but a user must be given an option. Furthermore, the consent must be informed which implies that a user must receive information about the consequences of consenting. Finally, the consent must be an informed indication of the user’s wishes. Normally, consent is obtained through tick-the-box but also the use of a homepage after having received the relevant information concerning cookies can constitute consent. Yet, consent by use of a homepage must be used with caution.

In addition to this, the information to the user must fulfil the below mentioned requirements:

  • the information must be clear and easy to understand
     
  • the purpose of the use of the cookies must be provided
     
  • the identity of the person or entity which is responsible for the use of the cookies must appear
     
  • the possibility of withdrawal of consent must be easily accessible and be described in the information, and
     
  • this information must be easily accessible for the user at all times.
Last modified 26 Jan 2017
Contacts
Egil Husum
Egil Husum
Senior Associate
T +45 5234 4224
Heidi Højmark Helveg
Heidi Højmark Helveg
Junior Partner
T + 45 3334 4116
Last modified 26 Jan 2017