DLA Piper Intelligence

Data Protection
Laws of the World

Law

Denmark
Denmark

By order on the EU Council, the General Data Protection Regulation (EU) 2016/679 ('Regulation') entered into force on 25 May 2018. To implement the Regulation, the Danish Parliament enacted the Danish Act on Data Protection (“Act”) on 17 May 2018, enforceable on 25 May 2018 and replacing the Danish Act on Processing of Personal Data (Act no. 429 of 31/05/2000). Hence, data protection and processing is now in Denmark regulated by the Regulation supplemented by the Act.

The Act does not apply for Greenland and the Faroe Islands.

Last modified 18 Jul 2018
Law
Denmark

By order on the EU Council, the General Data Protection Regulation (EU) 2016/679 ('Regulation') entered into force on 25 May 2018. To implement the Regulation, the Danish Parliament enacted the Danish Act on Data Protection (“Act”) on 17 May 2018, enforceable on 25 May 2018 and replacing the Danish Act on Processing of Personal Data (Act no. 429 of 31/05/2000). Hence, data protection and processing is now in Denmark regulated by the Regulation supplemented by the Act.

The Act does not apply for Greenland and the Faroe Islands.

Last modified 18 Jul 2018
Definitions

Definition of personal data

“Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. ¨

In Denmark, information relating to deceased persons is considered Personal data as well until 10 years after perishing.

Definition of “processing”

“Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

A “data controller”

Meaning the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A Processor

Meaning the natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

(The abovementioned definitions correspond to the definitions as set out in the Regulation.)

Last modified 18 Jul 2018
Authority

Datatilsynet (“DPA”)
Borgergade 28, 5
DK 1300 København K

T +45 3319 3200
F +45 3319 3218

Last modified 18 Jul 2018
Registration

In Denmark, the following types of processing requires the DPA’s preapproval:

  • private data controllers’ processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (“Special Categories of Personal Data”), solely in the public’s interest;
  • transfer of Special Categories of Personal Data, originally processed for scientifically and statistically purposes, if i) such data is to be processed outside the geographical scope of the Regulation, ii) the data constitutes biometric data or iii) if the data is to be published in a well-known paper.
  • processing personal data in a register on behalf of a private data controller:
    • solely for the purpose of warning other businesses from engaging business or employing a natural person;
    • with the intention of commercial exploitation of data on the natural person’s creditworthiness and financial solidity; or
    • for the creation of a register on judicial information.
Last modified 18 Jul 2018
Data Protection Officers

Under the Regulation, organisations shall designate a data protection officer (“DPO”) in any case where:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the data controller or the processor consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale of Special Categories of Personal Data and personal data relating to criminal convictions and offences.

The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in the Regulation.

Under the Danish Act, the DPO is subject to a duty of secrecy and are prohibited against transfer and exploiting any personal data processed in their capacity of being DPO.

Last modified 18 Jul 2018
Collection & Processing

The Regulation differs between 1) Personal data, 2) Special Categories of Personal Data, 3) Data on criminal offences and 4) Social security numbers. See below.

1. Personal data

Data controllers may legally register and process personal data (all data except the Special Categories of Personal Data, Data on criminal offences and Social security numbers) when at least any of the following conditions are met:

  • the data subject has given his explicit consent in accordance with article 7 and 8 (children’s consent) of the Regulation; or
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
  • processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • processing is necessary in order to protect the vital interests of the data subject or any other natural person; or
  • processing is necessary for the performance of a task carried out in the public interest or for the performance of a task carried out in the exercise of official authority vested in the data controller; or
  • processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third-party to whom the data is disclosed, unless these interests are overridden by either the data subject’s fundamental rights including its civil rights or other interests of the data subject.

Under the Act, it is legal to process data on children with a minimum age of 13. Data on children younger than 13 years old, is only legal if the child’s parents or legal guardians have given their explicit consent.

2. Special Categories of Personal Data

Special Categories of Personal Data (as detailed under “Registration”) may be processed only when at least any of the following conditions are met:

  • the data subject has given his explicit consent to the processing of such data for one or several purposes: or
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment and other specific rights such as social security and social protection law; or
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the person concerned is physically or legally incapable of giving his or her consent; or
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; or
  • processing relates to personal data which are manifestly made public by the data subject; or
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
  • processing is necessary for reasons of substantial public interest. The DPA must approve the processing unless such is carried out by a public organization.

Personal data and Special Categories of Personal Data may be processed, if such process is carried out in relation to the data subject’s employment at the data controller, if such process is necessary for the data controller to comply with employment-related obligations or rights under applicable law or collective agreements, or if the process is necessary for the data controller or third-party’s possibility to pursue legitimate interests originating from other legislation or collective agreements as long as the civil rights and interests of the data subject precedes.

3. Data relating to criminal convictions and offences

Data relating to criminal convictions and offences may be processed by public data controllers only if the processing is strictly necessary for the performance of regulatory and public tasks. No such data can, however, be passed on, unless at least any of the following conditions are met:

  • the data subject concerned has given his or her explicit consent in accordance with article 7 in the Regulation; or
  • the pass on is performed to attend private or public interests, significantly overriding consideration of non-disclosure and the data subject’s interests in general; or
  • the pass on is necessary for the performance of regulatory and public business or for a public authority to decide on a ruling; or
  • the pass on is necessary for the performance of either a natural person og a company’s tasks on behalf of public authorities.

Private data controllers may process data relating to criminal convictions and offences, if the data subject in question has given his or her explicit consent in accordance with article 7 in the Regulation, or if the processing is strictly necessary to carry out interests significantly exceeding the interests of the data subject. None of the data may be passed on without the explicit consent of the data subject, unless such pass on is performed in the interests of either the public or private data controller or the data subject in question conditioned that these interests significantly exceeds the consideration of non-disclosure.

Both public and private actors may process data relating to criminal convictions and offences if at least one the following conditions are met:

  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment and other specific rights such as social security and social protection law; or
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the person concerned is physically or legally incapable of giving his or her consent; or
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; or
  • processing relates to personal data which are manifestly made public by the data subject; or
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
  • processing is necessary for reasons of substantial public interest. The DPA must approve the processing unless such is carried out by the public organization.

4. Social security numbers

Social security numbers (in Danish and henceforth “CPR-no.”) may be processed by public organisations for the purpose of identification or as reference number.

Private data controllers may process CPR-no. when at least one of the following conditions are met:

  • the process is required under statutory law; or
  • the data subject concerned has given his or her explicit consent in accordance with article 7 in the Regulation; or
  • the processing is carried out for scientifically og statistically purposes (however not for publication which requires a specific consent); or
  • the CPR-no. is passed on as part of the company’s natural operations and such pass on is of significant importance to the company to ensure identification of the data subject in question or requested by a public authority;
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment and other specific rights such as social security and social protection law; or
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the person concerned is physically or legally incapable of giving his or her consent; or
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; or
  • processing relates to personal data which are manifestly made public by the data subject; or
  • processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity; or
  • processing is necessary for reasons of substantial public interest. The DPA must approve the processing unless such is carried out by a public data controller.

The data controller must, at the time when personal data are obtained (no later than within one month after), provide the data subject with the necessary information to fulfil the duty of information, including information about:

  • the identity of the data controller, his representative and the DPO (if applicable);
  • the contact details of the data controller/the representative;
  • the categories of data concerned
  • the purposes of the processing for which the data is intended as well as the legal basis for the processing;
  • the legal basis for the process in details;
  • the recipients or categories of recipients of the personal data, (if any);
  • (where applicable), information of transfer of data or the intention hereof;
  • The period for which the data will be stored;
  • The data subject’s rights, including to lodge a complaint; deletion, insight and correction;
  • From which source, the personal data originate (if applicable), and whether it came from publicly accessible sources (if applicable)

Under the Act the above-mentioned obligation does not apply if interests of the public, other privates or the data subject itself exceeds the data subject’s interest in obtaining the information.

Last modified 18 Jul 2018
Transfer

The Danish Act does not regulate transfer of personal data. Thus, the articles hereof in the Regulation applies, under which data controllers may transfer all types of personal data to a third country or an international organization out of the EU/EEA if any of the following conditions are met:

  • the EU Commission has established that the third-country/area or one or more specific sectors in the third country, or the international organization has adequate safeguards with respect to the protection of the rights of the data subject;
  • the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (such as through binding corporate rules – approved by the DPA);
  • the data controller or data processor and the international organization concludes the standard terms approved by the EU-Commission.

If no judgement has been obtained on the third country’s adequate safeguards and no appropriate safeguards have been provided including binding corporate rules, personal data can be transferred to a third country or an international organization if one of the following criteria are met:

  • the data subject has given his explicit consent;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
  • the transfer is necessary or legally required on important public interest grounds;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or other natural person, where the person concerned is physically or legally incapable of giving his or her consent;
  • the transfer is made from a register which according to law or regulations is open to consultation either by the public in general or by any person who can demonstrate legitimate interests, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case
Last modified 18 Jul 2018
Security

The Danish Act does not set out provisions on security requirements. Thus, the articles hereof in the Regulation applies, under which data controllers and data processors must implement appropriate technical and organizational security measures necessary to protect data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of the provisions laid down in the Act.

Last modified 18 Jul 2018
Breach Notification

The Danish Act does not set out provisions on notification in case of security breach. Thus, the articles hereof in the Regulation applies, under which the data must notify the DPA no later than 72 hours after becoming aware of the security breach.

Further, if the security breach is likely to expose the data subject to risk related to its rights and civil rights, the data controller shall notify the data subject without unnecessary delay.

Last modified 18 Jul 2018
Enforcement

The DPA, which consists of a Council and a Secretary, is responsible for the supervision of all processing operations covered by the Act.

The DPA can request any information provided necessary for the DPA’s operations including decision-making on whether Act and the Regulation apply or not.

The DPA and its personal can without a court order request access to premises from which processing is of personal data is performed.

The DPA’s decisions are final and not subject to recourse.

The DPA may investigate data processing occurring in Denmark and the legality hereof, despite the processing being subject to foreign law.

The DPA may publish its findings and decisions.

Any person suffering material or nonmaterial damage due to non-legal data processing can claim damages.

Unless a higher penalty is impeded, processing deemed unlawful under the Act, is sanctioned with a fine or prison for up to 6 months.

In general, the Regulation aims to sanction with fines which are effective, reasonable and have preventive effect. More specific, certain violations can be sanctioned with a fine of a maximum of EUR 10,000,000 or 2 % of the total annual turnover (if a company). Other types of violations can be sanctioned with a fine of a maximum of EUR 20,000,000 or 4 % of the total annual turnover (if a company).

The statute of limitation period is 5 years.

Last modified 18 Jul 2018
Electronic Marketing

The Regulation applies to electronic marketing activities involving usage of personal data (e.g. an email address which includes the recipient's name).

Under the Regulation companies cannot pass on personal data to another company for direct marketing purposes or use the data on behalf of a company for marketing purposes, unless the data subject has given his or her explicit consent. In this regard, the strict standard for consent under the Regulation must be noted, and marketing consent forms must include a clearly worded opt-in mechanism (such as a ticking of an unticked consent box, or the signing of a statement, and not merely an acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

General customer information (general information forming the basis for customer classification) can, however, be passed on and processed without the data subject’s consent, if such is necessary for the purposes of legitimate interests pursued by the company and these interests are not overridden by the interests of the consumer. However, Special Categories of Personal Data and CPR-numbers can only be processed for marketing purposes by the consent of the data subject.

The company passing on the personal data or processing the personal data on behalf of a company for marketing purposes, must prior hereto ensure that the data subject has not declined receiving marketing material by registering as such in the Danish Central Office of Personal Registration.

Particularly for controllers selling catalogues of data on natural persons or addressing these natural persons on behalf of a company it applies that only the natural person’s name, work position, address, occupation, e-mail, phone- and fax number and business information published in business registers can be processed. Any other kind of data can only be processed, if the data subject has consented thereto.

Further, specific rules on electronic marketing (including circumstances in which consent must be obtained) are regulated in Directive 2009/136/EC (the ePrivacy Directive), as transposed into the local laws of each Member State. In Denmark, the ePrivacy Directive has among other things been implemented in the Danish Marketing Practices Act.

Under the Danish Marketing Practices Act, a trader must not approach anyone by means of electronic mail, an automated calling system or a facsimile machine (fax) for the purposes of direct marketing unless the natural person concerned has given his prior consent. The trader must allow free and easy revocation of the consent.

Notwithstanding the above mentioned, a trader that has received a customer's electronic contact details in connection with the sale of products may market own similar products to that customer by electronic mail, provided that the trader has clearly and distinctly given the customer the opportunity, free of charge and in an easy manner, of declining this both when giving his contact details to the trader and in all subsequent communications.

The ePrivacy Directive is to be replaced by an ePrivacy Regulation, a change which was forecasted for spring 2018, however, now postponed until spring 2019. From the wording of the latest draft, we can expect a significant toughening of the online and direct marketing landscape and, predictably, a convergence with the provisions in the Regulation.

Last modified 18 Jul 2018
Online Privacy

Directive 2009/136/EC (the ePrivacy Directive) was among other things also implemented in the Danish Act on Electronic Communications Services and Networks which came into force on 25 May 2011 in accordance with the implementation deadline in the Directive. In accordance with this act, the Danish Parliament adopted the Danish Executive Order on Electronic Communications Services and Networks which came into force on 25 May 2018 (the “Cookie Order”).

The Cookie Order should be read in the light of Regulation, where the rules regulate collection of data in a broader sense, not considering whether such information may be used to identify a natural person.

Under the “Cookie Order” the use of cookies requires a consent. The consent must be freely given and specific. However, this does not imply that consent must be obtained each time a cookie is used but a user must be given an option. Furthermore, the consent must be informed which implies that a user must receive information about the consequences of consenting. Finally, the consent must be an informed indication of the user’s wishes.

Normally, consent is obtained through tick-the-box but also the use of a homepage after having received the relevant information concerning cookies can constitute consent. Yet consent by use of a homepage must be used with caution.

In addition to this, the information to the user must fulfil the below mentioned requirements:

  • the information must be clear and easy to understand
  • the purpose of the use of the cookies must be provided
  • the identity of the person or entity which is responsible for the use of the cookies must appear
  • the possibility of withdrawal of consent must be easily accessible and be described in the information, and
  • this information must be easily accessible for the user at all times.

The ePrivacy Directive is to be replaced by an ePrivacy Regulation which is expected enacted in spring 2019. Hence, the above mentioned rules are expected to change.

From the wording of the latest draft, it is unsurprisingly safe to say that the definition of consent used in the Regulation is carried on and is to be read across into the draft e-Privacy Regulation text. Further, the draft also introduces significant practical changes, so that obtaining consent will require much more effort. Technology providers are required to include default settings which must all be set to preclude third parties from storing of information on, or using information about, an end-user’s device. So, browsers would have to be pre-configured so that cookies used for frequency capping of ads or ad-serving would be blocked by default unless a user opts to enable them.

Last modified 18 Jul 2018
Contacts
Marlene Winther Plas
Marlene Winther Plas
Partner
T +45 33 34 00 47
Last modified 18 Jul 2018