|Stage of legislative progress
|Eg. pre-consultation, in consultation
Danish Data Protection Act passed on 17 May 2018.
|Approach to implementation
|Eg. amendments to existing law, total repeal of old laws|
Replaced the former Act on Processing of Personal Data.
|Timescale for implementation
|Eg. pre-consultation, in consultation|
The Danish Data Protection Act passed on 17 May 2018.
Areas where Member States must have local laws:
|Personal data and freedom of expression
Administrative fines as prescribed in the GDPR are not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty. However, the Danish Supervisory Authority may impose administrative fines in uncomplicated cases, where the person accused of the violation pleads guilty and agrees to pay the fine.
Areas where Member States may have local laws:
§ 7(3) permits data processing by healthcare professionals bound by secrecy;
§ 24 binds DPOs to secrecy.
|Scientific, historical or statistical purposes
§ 10 permits processing of special category data and data related to criminal offences for statistical or scientific purposes when necessary for reasons of substantial public interest and if necessary for the research;
§ 11(3) permits processing of personal identification numbers by private organisations for statistical or scientific purposes;
§ 22(5) restricts data subjects' rights in relation to statistical or scientific purposes.
§ 12 permits data processing in the employment context when:
(1) it is necessary for compliance with employment obligations or rights laid down by law or collective agreements;
(2) it is necessary to pursue a legitimate interest arising from law or collective agreements, unless the interest is overridden by the rights and freedoms of the data subject;
(3) the data subject has given his or her consent.
|Personal data of deceased persons
§ 2(5): Data Protection Act and the GDPR apply to deceased persons until 10 years after the time of death
|Special rules for special categories of data
|Genetic, biometric or health data
|Designation of a Data Protection Officer
§ 24 binds DPOs to secrecy.
|National identification numbers/any other identifier of general application
§ 11 - specific rules on when public authorities and private companies may process national identification numbers.
|Any other areas under discussion
§ 5(3) provides that public authorities may process personal data for other purposes than the purpose for which the data originally were collected even where the purpose is incompatible; however in the case of health data or genetic data, the purposes must be compatible. When public authorities make use of this rule, they are exempted from the obligation in GDPR art. 13(3) and 14(4) to inform the data subject of this further processing unless the processing is for control purposes, c.f. § 23.