The GDPR gives each EU Member State some leeway to implement national legislation to supplement and clarify certain provisions of the regulation. 

The Danish Data Protection Act (consolidated Act No. 289 of 8 March 2024 on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and the free movement of such data) (“the Act”) is the primary law containing such supplementary national provisions, as well as some of the special provisions of the GDPR that each Member State must implement for these provisions to enter into effect.

The Act does not apply to processing exclusively for journalistic purposes, nor to processing for the sole purpose of artistic and literary expression. For such processing, only basic provisions in the GDPR on data security and controller-processor arrangements apply.

Similarly, the Act and the GDPR have limited application regarding the processing of personal data in information databases operated by mass media. 

Processing of personal data in information databases operated by mass media that are governed by the Danish Act on Information Databases of Mass Media (Act No. 430 of 1 June 1994 with amendments) is subject to the pre-GDPR data protection provisions contained in that act.

The European Privacy and Electronic Communications Directive (Directive 2002/58/EC), otherwise known as the ePrivacy Directive and amended by Directive 2009/136/EC, regarding data protection and the right to privacy in the electronic communication sector, has been implemented by special provisions in the Danish Marketing Practices Act (consolidated Act No. 1420 of 2 December 2024) and in the Danish Act on Electronic Communications and Network Services (consolidated act. no. 955 of 17 June 2022), along with the Danish Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment (executive order No. 1148 of 9 December 2011, known as the Cookie Order). 

Further, numerous Danish laws concerning the public sector and the healthcare sector provide for special provisions on data protection, including the Danish Civil Registration System Act (consolidated Act No. 1010 of 23 June 2023), which, in Part 7, supplements the GDPR to the extent permitted by the GDPR. Many of these provisions originate from pre-GDPR legislation but are still deemed necessary to safeguard the privacy of data subjects in need of help or services from public authorities or authorised health personnel. 

The Danish TV Surveillance Act (consolidated Act No. 182 of 24 February 2023) supplements the GDPR and the Act regarding processing of personal data in relation to TV surveillance. The Video Surveillance Act governs the use of video surveillance by public authorities and private organisations, as well as private citizens. 

The Danish Financial Business Act (consolidated Act No. 1013 of 21 August 2024) supplements the GDPR and the Act as it contains special provisions on the disclosure of personal data (and other confidential information) in the course of conducting financial business, as well as the use of personal data for marketing purposes in relation to financial businesses. 

For the purposes of this chapter, the focus is on the Act.

Danish legislation on data protection follows the definitions set out in the GDPR. Thus, the key concepts are:

• Personal data: information regarding an identified or identifiable natural person or persons.
• Data subject: the natural person whose personal data is being processed. In Denmark personal data relating to deceased individuals is governed by the Act and the GDPR for 10 years after the death of the individual. 
• Data controller: the natural or legal person that determines the purpose and means of the data processing. Employees and others belonging to the data controller’s organisation who are involved in processing of personal data in the interest of and following instructions from this data controller do not constitute either data processors or data controllers.
• Data processor: the natural or legal person, different from the data controller, that performs the processing of personal data on behalf of the data controller. The processing of personal data must be regulated by a contract or other legal act under Union or Member State law. 

The Act’s scope is broader than that of the GDPR, as specific provisions apply when personal data is manually disclosed to another administrative authority.

In addition, the Act prescribes that, in special cases, both the GDPR and the Act apply to the processing of data concerning enterprises, etc., e.g. when the processing is carried out for credit information agencies, and when the processing is carried out for the purpose of warning others against having business relations with such enterprises. 

Further, the special provisions in Part 4 of the Act, which concerns disclosure to credit information agencies of data on debts to public authorities, also apply to data concerning enterprises, etc.

The Act applies to the processing of personal data performed for a data controller or data processor established in Denmark. This means that the Act applies even if the actual processing of personal data takes place outside of the EU. The processing of personal data for Danish diplomatic representations also falls within the scope of the Act.

The Act also applies extraterritorially to data controllers or data processors based outside of the EU, if the processing concerns the supply of goods or services to data subjects in Denmark or concerns monitoring of the behaviour of data subjects in Denmark.

The material scope of the Act is, with a few exemptions, the same as the material scope of the GDPR. 

As such, the Act applies “to all processing of personal data carried out, in full or in part, by the means of automatic data processing, and to any other non-automatic processing of personal data that are or are intended to be contained in a filing system”. 

Pursuant to the Act there are some national derogations to the material scope of the GDPR, i.e. for journalistic, artistic or literary purposes, parliamentary work, and when personal data is processed by the Danish Appeals Permission Board.

Any type of processing of personal data in relation to TV surveillance, including manual data processing, is subject to the Act.

The Act does not contain a definition of personal data; as noted (see above, Question 2) the definition contained in the GDPR is applicable, i.e. information regarding an identified or identifiable natural persons. 

In accordance with the GDPR, all means reasonably likely to be used should be considered when determining whether a natural person is identifiable. 

Further, the GDPR defines pseudonymised personal data as data that can only be attributed to a specific data subject with the use of additional information, where the access to such additional information is limited. As such, the GDPR and the Act apply in relation to the processing of pseudonymised personal data. 

In contrast, personal data that has been anonymised, i.e. has been processed to irreversibly prevent identification of the natural person, is not considered personal data. The anonymisation process per se is a processing of personal data, which falls within the scope of the Act and the GDPR.

Confidential personal data does not necessarily fall within the special categories of personal data mentioned in Article 9 of the GDPR but must nevertheless be processed with due regard for confidentiality; for instance, when determining the lawfulness of processing and assessing the appropriate technical and organisational measures to be implemented. 

As such, Danish legislation recognises confidential personal data as an unofficial type of personal data (in Danish, fortrolig personoplysning).

Examples of confidential personal data are national identification numbers, passports and other identification documents, financial information, information concerning significant social issues, and information concerning criminal convictions and offences, among others.

The Act contains special provisions on the processing of national identification numbers (in Danish, CPR-nummer), and on the processing of information concerning criminal convictions and offences. 

Furthermore, there are special provisions in the Act on processing of personal data by credit information agencies. For instance, only data which by its nature is of importance for the assessment of financial standing and creditworthiness can be processed.

Further, sectoral legislation often has special provisions on the processing of confidential information including personal data, e.g. the Danish Financial Business Act (see above, Question 1).

In addition to the GDPR requiring that the data controller establish a legal basis for the processing of personal data, the Act specifies that certain requirements must be fulfilled for the processing of certain types of personal data, e.g. national identification numbers, information concerning criminal convictions and offences, and personal data in an employment context.

When the processing of a child’s personal data in relation to information society services is based on consent given by the child, the Act specifies that the child must be at least 15 years old for such processing to be lawful. 

In general, there is no obligation to obtain prior approval of a processing activity under the GDPR. 

The data controller must always be able to demonstrate compliance with the GDPR, i.e. that the processing of personal data is lawful, that appropriate technical and organisational measures to protect personal data have been implemented, and that the data subjects’ rights can be met.

Any use of data processors must be based on a written contract or other legal act under Union or Member State law. The Data Protection Agency has published a standard contract in both Danish and English.

Pursuant to the Act, private sector data controllers are, in special cases, obliged to obtain prior approval of a processing activity from the Data Protection Agency. 

The Act imposes a specific obligation on credit information agencies to obtain authorisation from the Data Protection Agency prior to processing personal data. 

Furthermore, before initiating processing of personal data for a private data controller, authorisation has to be obtained from the Data Protection Agency where the processing of personal data is carried out for the purpose of warning others against having business relations or accepting employment with a data subject, for the purpose of commercial disclosure of data for the assessment of financial standing and creditworthiness, or exclusively for the purpose of operating legal information systems.

Prior approval is also required by all data controllers in relation to special cases of disclosure of personal data that has been processed in relation to statistical or scientific studies. When giving such approvals, the Data Protection Agency will set special conditions for the processing activities or the disclosure of personal data.

Data subjects have rights in relation to personal data as set out in Chapter III of the GDPR, inter alia the right to receive clear, transparent information about the data controller’s collection and processing of the data subject’s personal data (the right to be informed) and the data subject’s right to object, on grounds relating to the data subject’s particular situation, to any further processing of the data subject’s personal data (the right to object). However, the Act contains a few exemptions to these rights.

Sections 22 and 23 of the Act restrict the scope of the obligations and rights set out in specific articles of the GDPR under certain circumstances. For example, if the processing of personal data takes place exclusively for scientific or statistical purposes, the data subject does not have the right of access, the right to rectification, the right to restriction of processing nor the right to object.

Further, under the Act, Chapter III on the rights of data subjects in the GDPR does not apply in relation to: processing exclusively for journalistic purposes; processing for the sole purpose of artistic and literary expression; or processing of personal data in information databases operated by mass media not governed by the Danish Act on Information Databases of Mass Media (Act No. 430 of 1 June 1994 with amendments).

The Act requires a company to check a national register (regarding consumers who do not want to be contacted for the purpose of marketing activities) before any disclosure to another company or before any use on behalf of another company of information on the consumer for the purpose of direct marketing.

Section 10 of the Danish Marketing Practices Act (consolidated Act No. 1420 of 2 December 2024) supplements the GDPR and the Act when it comes to unsolicited direct marketing (implementation of Article 13 of the ePrivacy Directive (Directive 2002/58/EC)).

The GDPR imposes restrictions on the transfer of personal data to countries outside of the European Economic Area (EEA) and to international organisations. The Act does not vary this requirement. 

If the transfer of personal data that falls into a special category (as set out in Article 9(1) of the GDPR) is not based on an adequacy decision (Article 45, GDPR), the Data Protection Agency may, in exceptional cases, prohibit, restrict, or suspend such a transfer.

The Data Protection Agency has statutory powers to do the following:

• examine complaints from individuals in relation to potential infringements of data protection law;
• conduct inquiries and investigations regarding infringements of data protection legislation and take enforcement action where necessary;
• promote awareness amongst members of the public of their rights to have their personal information protected under data protection law;
• drive improved awareness and compliance with data protection legislation by data controllers and processors through the publication of high-quality guidance, and proactive engagement with public and private sector organisations;
• through consultation with organisations, assist in identifying risks to personal data protection; and 
• co-operate with other data protection authorities.

Data subjects who suffer a material or non-material loss because of non-compliance with the GDPR and the Act may be entitled to compensation from the data controller or from the data processor. Case law on this matter is still limited, as few such cases have been tried before the Danish courts.

In adherence with the GDPR, the Act grants a data subject (or a data subject’s representative) the possibility of lodging a complaint with the competent supervisory authority or bringing issues of whether data controllers or data processors comply with the Act before the courts.

However, while the GDPR permits supervisory authorities to impose administrative fines, the Data Protection Agency cannot issue such fines. In Denmark, fines for non-compliance with the GDPR or the Act are issued by the courts. The Act does allow the authority, under special conditions, to issue a notice, provided that a sufficiently precise level of fines for the specific violation has been established in case law. Such case law has yet to be established by the Danish courts.

In some cases, the courts can impose imprisonment of up to six months for non-compliance with the GDPR and the Act.