Denmark

Stage of legislative progress
Eg. pre-consultation, in consultation

Danish Data Protection Act passed on 17 May 2018.

Approach to implementation
Eg. amendments to existing law, total repeal of old laws

Replaced the former Act on Processing of Personal Data.

Timescale for implementation
Eg. pre-consultation, in consultation

The Danish Data Protection Act passed on 17 May 2018.

Areas where Member States must have local laws:

Personal data and freedom of expression

n/a

Penalties

Administrative fines as prescribed in the GDPR are not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty. However, the Danish Supervisory Authority may impose administrative fines in uncomplicated cases, where the person accused of the violation pleads guilty and agrees to pay the fine.

Areas where Member States may have local laws:

Professional secrecy

§ 7(3) permits data processing by healthcare professionals bound by secrecy;

§ 24 binds DPOs to secrecy.

Scientific, historical or statistical purposes

§ 10 permits processing of special category data and data related to criminal offences for statistical or scientific purposes when necessary for reasons of substantial public interest and if necessary for the research;

§ 11(3) permits processing of personal identification numbers by private organisations for statistical or scientific purposes;

§ 22(5) restricts data subjects' rights in relation to statistical or scientific purposes.

Employment

§ 12 permits data processing in the employment context when:

(1) it is necessary for compliance with employment obligations or rights laid down by law or collective agreements;
(2) it is necessary to pursue a legitimate interest arising from law or collective agreements, unless the interest is overridden by the rights and freedoms of the data subject;
(3) the data subject has given his or her consent.

Personal data of deceased persons

§ 2(5): Data Protection Act and the GDPR apply to deceased persons until 10 years after the time of death

Children online

13 years

Special rules for special categories of data

§ 7(1) states that the legal bases in GDPR art. 9(1)(a) and (c-f) apply directly in Denmark without any modifications or limitations.

§ 7(2)-(4), however, only partially activates the legal bases in GDPR art. 9(1)(b), (g) and (h), i.e. with certain modifications compared to the wording of the GDPR articles, in line with Danish legislation.

§ 7(5) provides that a minister may, after negotiations with the minister of justice, establish specific rules on the processing of special category data within the framework of the GDPR

Genetic, biometric or health data

n/a

Designation of a Data Protection Officer

§ 24 binds DPOs to secrecy.

National identification numbers/any other identifier of general application

§ 11 - specific rules on when public authorities and private companies may process national identification numbers.

Other:

Any other areas under discussion

§ 5(3) provides that public authorities may process personal data for other purposes than the purpose for which the data originally were collected even where the purpose is incompatible; however in the case of health data or genetic data, the purposes must be compatible. When public authorities make use of this rule, they are exempted from the obligation in GDPR art. 13(3) and 14(4) to inform the data subject of this further processing unless the processing is for control purposes, c.f. § 23.