The Danish Data Protection Act

The 2018 Danish Data Protection Act (English version) supplements the EU’s GDPR (General Data Protection Regulation) by filling in sections of the Regulation that are left to individual member states to interpret and implement.

Because the Act supports the GDPR rather than enacting it, the two laws should be read together.

Find out more about the GDPR >>

How IT Governance can help

Find out more about the GDPR on our dedicated information pages below. You can also contact our team of experts to discover how we can support your organisation.

Find out more about the GDPR


A brief history of Danish data protection law

  • The EU Data Protection Directive 1995 and the Danish Act on Processing of Personal Data

    The Act on Processing of Personal Data of 2000 (English version) enacted the provisions of the EU’s Data Protection Directive 1995 (Directive 95/46/EC) in Denmark.

    Among other stipulations, it set out four key data protection rules to ensure that personal data was:

    1. Collected and processed only for specified, explicit and legitimate purposes;
    2. Adequate, relevant and not excessive;
    3. Accurate and up to date; and
    4. Not retained for longer than necessary.

    The Data Protection Directive 1995 and all local laws derived from it, including the Danish Act on Processing of Personal Data, have now been superseded by the GDPR.

  • The GDPR and the Data Protection Act

    Originally proposed by the European Commission in January 2012, the GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament in April 2016, published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May 2016. Following a two-year transition period, it was enforced in all EU member states on 25 May 2018.

    In Denmark, the new Data Protection Act was also enacted in May 2018 to supplement the GDPR by filling in sections of the Regulation that are left to individual member states to interpret and implement. For example, the Act applies and extends the application of the GDPR to the data of deceased persons for a period of ten years following their death.

    Under the GDPR, data subjects have the right to lodge a complaint with their supervisory authority if they consider that the processing of their personal data infringes the Regulation, and the right to an effective judicial remedy against data controllers and processors if they consider their rights to have been infringed by processing that does not comply with the Regulation. In Denmark, the Datatilsynet (Data Protection Agency) is responsible for monitoring the application of the Regulation and the Data Protection Act.

    On top of this, the Data Protection Agency has the power to “impose a temporary or definitive limitation including a ban on processing” (Article 58(2f) of the GDPR). This effectively means that it can shut organisations down altogether.

    The GDPR is backed by a regime of considerably higher penalties than the Act on Processing of Personal Data, with administrative fines of up to €20 million or 4% of global annual turnover – whichever is greater. In Denmark, the fines are imposed by the courts as a criminal penalty, rather than the Data Protection Agency.

    Click here for more information about the GDPR and the Data Protection Act >>

  • The ePrivacy Directive and Regulation

    The EU’s 2002 ePrivacy Directive, also referred to as the ‘cookies law’, sets out rules on electronic communications, including:

    • Marketing emails;
    • Faxes;
    • Texts;
    • Phone calls;
    • The use of cookies that track website visitors’ information;
    • The security of public electronic communications services; and
    • The privacy of end users.

In Denmark, the main laws that enact the Directive are:

The ePrivacy Regulation or ePR (Regulation on Privacy and Electronic Communications) is set to supersede the 2002 ePrivacy Directive and all member state laws that enforce it, including the Danish laws listed above. It was originally intended to come into effect alongside the GDPR on 25 May 2018 but is now tentatively scheduled to apply from 2019.

The ePR is broader in scope and aims to ensure stronger privacy in all electronic communications – including OTT (over-the-top) service providers such as instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of Things).

Click here for more information about the ePR >>

The difference between EU regulations and directives

The EU has two types of legal instruments that are used to regulate business: directives and regulations.

  • Directives set minimum standards and parameters for the EU but leave the actual implementation down to the states themselves. The Data Protection Directive and ePrivacy Directive fall into this category. When a directive is passed, the EU sets a deadline by which every member state must have put it into force, whether by law, regulation or other initiative.
  • Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. The ePR and the GDPR fall into this category. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.

Speak to an expert

Please contact our expert team, who will be able to give advice and guidance about the compliance options.