Denmark

Overview

Stage of legislative progress 
Eg. pre-consultation, in consultation

Danish Data Protection Act passed on 17 May 2018.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

Will replace current Data Protection Act with a new Data Protection Act on 25 May 2018.

Timescale for implementation 
Eg. pre-consultation, in consultation

Danish Data Protection Act passed on 17 May 2018.


Areas where Member States must have local laws:

Personal data and freedom of expression 

n/a

Penalties

Administrative fines as prescribed in the GDPR not permitted under Danish law. Fines will be imposed by the courts as a criminal penalty. However, the Danish Supervisory Authority may impose administrative fines in uncomplicated cases, where the person accused of the violation pleads guilty and accepts to pay the fine.


 

Areas where Member States may have local laws:

Professional secrecy 

§ 7(3) permits data processing by healthcare professionals bound by secrecy; § 24 binds DPOs to secrecy.

Scientific, historical or statistical purposes 

§ 10 permits  processing of special category data and data related to criminal offences for statistical or scientific purposes  when necessary for reasons of substantial public interest and if necessary for the research;
§ 11(3) permits  processing of personal identification numbers by private organisations for statistical or scientific purposes; 
§ 22(5) restricts data subjects' rights in relation to statistical or scientific purposes.

Employment

§ 12 permits data processing in the employment context when: (1)  it is necessary for compliance with employment obligations or rights laid down by law or collective agreements; (2)  it is necessary to pursue a legitimate interest arising from law or collective agreements, unless the interest is overridden by the rights and freedoms of the data subject;(3) the data subject has given his or her consent.

Personal data of deceased persons 

§ 2(5) states that the Data Protection Act and the GDPR applies to deceased persons until 10 years after the time of death.

Children online

§ 6(3) lowers the age of consent to 13.

Special rules for special categories of data
§ 7(5) provides that a minister after negotiations with the minister of justice may establish specific rules on the processing of special category data within the framework of the GDPR.

Genetic, biometric or health data

 Danish Health Act contains more specific rules on processing of personal data within the health sector.

Designation of a Data Protection Officer

§ 24 binds DPOs to secrecy.

National identification numbers/any other identifier of general application

n/a

 


 

Other:

Any other areas under discussion

§ 5(3) provides that public auhthorities may process personal data for other purposes than the purpose for which the data originally were collected despite the purposes being incompatible; if health data or genetic data, the purposes must however be compatible. When public authorities make use of this rule, they are excempted from the obligation in GDPR art. 13(3) and 14(4) to inform the data subject of this further processing unless the processing is for control purposes, c.f. § 23.