The Danish Data Protection Act passed on 17 May 2018.
Replaced the former Act on Processing of Personal Data with a new Data Protection Act on 25 May 2018.
Danish Data Protection Act passed on 17 May 2018.
Areas where Member States must have local laws:
Administrative fines as prescribed in the GDPR are not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty. However, the Danish Supervisory Authority may impose administrative fines in uncomplicated cases, where the person accused of the violation pleads guilty and agrees to pay the fine.
Areas where Member States may have local laws:
§ 7(3) permits data processing by healthcare professionals bound by secrecy; § 24 binds DPOs to secrecy.
§ 10 permits processing of special category data and data related to criminal offences for statistical or scientific purposes when necessary for reasons of substantial public interest and if necessary for the research;
§ 11(3) permits processing of personal identification numbers by private organisations for statistical or scientific purposes;
§ 22(5) restricts data subjects' rights in relation to statistical or scientific purposes.
§ 12 permits data processing in the employment context when:
(1) it is necessary for compliance with employment obligations or rights laid down by law or collective agreements;
(2) it is necessary to pursue a legitimate interest arising from law or collective agreements, unless the interest is overridden by the rights and freedoms of the data subject;
(3) the data subject has given his or her consent.
§ 2(5) states that the Data Protection Act and the GDPR applies to deceased persons until 10 years after the time of death.
§ 6(3) lowers the age of consent to 13.
The Danish Health Act contains more specific rules on processing of personal data within the health sector.
§ 24 binds DPOs to secrecy.
§ 11 contains specific rules on when public authorities and private companies may process national identification numbers.
§ 5(3) provides that public authorities may process personal data for other purposes than the purpose for which the data originally were collected even where the purposes is incompatible; however in the case of health data or genetic data, the purposes must be compatible. When public authorities make use of this rule, they are exempted from the obligation in GDPR art. 13(3) and 14(4) to inform the data subject of this further processing unless the processing is for control purposes, c.f. § 23.