The Danish Data Protection Act has been passed by the Danish parliament. The GDPR (the General Data Protection Regulation) and the Danish Data Protection Act repeal the Danish Personal Data Processing Act as of 25 May 2018.
In broad outlines the Act contains the following:
- Fines to public authorities
It is possible to impose fines on public authorities. The explanatory remarks to the bill presumes a maximum fine of 4 percent of the public authority's operating grant, however no more than 16 million DKK.
It is specified that the lower maximum does not apply to private data processors that process personal data on behalf of a public authority.
- Processing personal data as part of HR-administration
The existing rules on processing of personal data as part of personnel administration are re-enacted.
The Danish Data Protection Act supplements the GDPR by allowing the processing of sensitive data in the course of personnel administration on the basis of legitimate interests.
The rule also applies to public authorities, which is noteworthy, as public authorities cannot use the legal basis 'legitimate interest' in the GDPR.
Furthermore, the Act establishes that consent may be used as a legal basis for the processing of HR-data. As such the Act extends the Danish Department of Justice's opinion in their report on the GDPR; an opinion that is contrary to the Article 29 Working Party's, which on numerous occasions has questioned the use of consent in employment relationships.
- Disclosure of personal data for marketing purposes
The existing rules on the disclosure of personal data for marketing purposes from one company to another are re-enacted. It is remarkable that this rule is re-enacted since it is presumably contrary to the GDPR.
- Exceptions to the duty of disclosure and the right of access
The data controller's information obligations and the data subjects' right of access do not apply to private data controllers if the data subject's interest in the data is found to give way for the benefit of vital private interest.
This rule is important as the GDPR does not contain any actual exceptions to the right of access. The rule may for instance be relevant when private data controllers conduct internal investigations – where the information obligations may be postponed and requests for access may be refused while investigations are ongoing.
Another example of a private interest that can justify maintaining the confidentiality of information about the processing is according to the law's explanatory notes the protection of business secrets.
Public authorities are not required to comply with the rules in the GDPR concerning information obligations and the right of access if the data subject's interest to obtain knowledge about the information is found to give way for the benefit of vital public interests, including national security, national defence, public security and the investigation of criminal offences.
- Designation of a data protection officer (DPO)
The legal basis in the GDPR to extend the requirement to designate a DPO has not been used in Denmark.
- The category of semi-sensitive personal data is left out
Information about significant social issues and other purely private matters will henceforth be processed as general personal data. The former Danish special provision concerning semi-sensitive data therefore no longer exists.
- The "Rule of war"
The Act moderates the so-called "rule of war" which according to the old Data Protection Act implied that larger public registers containing personal data must be stored in Denmark. Under the new rules, the Department of Justice will after negotiations with the appropriate minister issue an Executive Order determining that personal data processed as part of the public administration in specified IT-systems may only be stored in Denmark It is the intention that the Executive Order will contain a list of such IT-systems. The list will be updated regularly when new IT-systems are considered.
- Social security numbers
The rules on processing of social security numbers (CPR numbers) are re-enacted for public authorities and private companies. However, the legal basis to process CPR numbers is expanded, as the processing of such numbers also is lawful if the conditions in the Danish Data Protection Act § 7 on special categories of personal data (sensitive data) are met.
- Processing of data concerning criminal offences
The new Act re-enacts the rules on processing of criminal offences for both public and private data controllers.
- Age limit for consent to use information society services
The age limit for consent from children in order to use information society services (social media, App's etc.) has been lowered to 13 years.
If the child is younger than 13 years of age, the consent has to be given or approved by the parent holding custody.
- Deceased persons
The Act extends the scope of protection in the GDPR to include deceased persons for 10 years after the death of the person in question. The rule may be changed by a ministerial order.
- TV monitoring
The new Danish Data Protection Act and the GDPR apply to the processing of personal data in relation to TV monitoring. The current rules on processing of personal data relating to TV monitoring are re-enacted in the Danish TV Monitoring Act as of 25 May 2018.
- Statute of limitations
The limitation period for infringements of the GDPR and the Danish Data Protection Act is 5 years.
- Combination of data for control purposes
The requirement for a distinct legal basis and preceding hearing of the Danish Data Protection Agency in relation to the combination of data for control purposes in public registers is removed.
- Credit rating agencies and warning registers
The rules in the old Act concerning credit rating agencies and warning registers are re-enacted. The Danish Data Protection Act's chapter 4 on disclosure to credit rating agencies of information about public debt also applies to the processing of information concerning legal entities.
The Danish Data Protection Act and the GDPR's application on information about legal entities may be extended by a ministerial order.
- Notification to the Danish Data Protection Agency on warning registers, credit rating agencies and judicial information systems.
The requirements under the old Act on preceding approval from the Danish Data Protection Agency when using warning registers, credit rating agencies and judicial information systems are re-enacted.
- Transfer to archives
The rules concerning transferring to archives in accordance with the archival legislation are re-enacted.
- Public authorities processing for a new purpose is extended
The Danish Data Protection Act paves the way for the relevant minister after negotiation with the Minister of Justice to decide that personal data processed by public authorities may be further processed for other purposes than those for which the personal data were initially collected.
Furthermore, public authorities' transparency obligations are limited when processing for a new purpose occurs, as the data subject in this situation does not have a right to be provided with information about the processing for such new purpose. However, this exception does not apply to the extent the purpose of the processing is alignment or combination of personal data for control purposes.
- Prohibition on transfers of sensitive data to third countries
The Danish Data Protection Agency is able to forbid the transfer of sensitive personal data to third countries that are deemed not to provide an appropriate level of safety for the processing of personal data.
- The Danish Data Protection Agency
The current structure of the Danish Data Protection Agency with a council and a secretariat is re-enacted.
- Mass media and the freedom of speech
The relation between data protection and the freedom of speech, including the relation to mass media, is not subject to the Data Protection Act.
- Administrative penalties
The Danish Data Protection Agency can impose penalty notices in uncomplicated matters. In all other situations, matters concerning penalties for infringement of the data protection legislation in the form of fines must be brought before the courts.