DENMARK: An Introduction to Data Protection

Introduction

In Denmark, as in the rest of Europe, data protection is a fast-developing area of practice, demanding ongoing focus from organisations to ensure compliance with requirements set out in legislation and established through the ever-developing practice. For organisations operating in Denmark, it is essential to understand how data protection is understood, interpreted and enforced in Denmark in order to navigate the risks associated with non-compliance in this area. In this article we delve into certain key focus areas and trends within data protection in Denmark.

Increased Focus on Security of Processing

Over the past few years, the Danish Data Protection Agency (“Datatilsynet”) has placed an increasing focus on security of processing pursuant to Article 32 of the GDPR. This is evident through, for example, the large amount of guidelines Datatilsynet has published on the topic over the last few years. Datatilsynet interprets Article 32 of the GDPR as requiring organisations to prepare documented risk assessments in order to document compliance with Article 32 of the GDPR. These data protection risk assessments differ from, for example, IT security risk assessments because the data protection risk assessments must focus on the risks that the processing entails to the data subjects, not the organisation.

It is common for Datatilsynet to request a copy of an organisation’s risk assessment for a specific processing activity in connection with Datatilsynet’s review of a reported personal data breach, and security of processing is the topic within Danish data protection legislation on which Datatilsynet has, by far, issued the most decisions with sanctions over the last few years. In addition, some of the largest fine claims in Denmark relate to security of processing, including missing or inadequate risk assessments and data protection impact assessments.

The Danish focus on security of processing makes it necessary for organisations operating in Denmark to ensure that they have prepared risk assessments and – where needed – data protection impact assessments and that such documentation is sufficiently thorough, including in relation to the more technical aspects of the processing activities. This necessitates a close collaboration between legal data protection stakeholders and IT security stakeholders in the organisation.

The Danish Focus on Deletion of Personal Data

Datatilsynet has repeatedly focused on deletion of personal data, and the first major fine cases in Denmark have concerned failure to delete personal data. Danish cases have shown a strict approach to the obligation to delete personal data when it is no longer necessary. Among other things, the following can be derived from Danish cases on the topic.

• Organisations’ established retention periods are binding. If the retention period set by the organisation itself is not complied with, the principle of storage limitation has been violated, regardless of whether the organisation could have legally set a longer retention period.
• Keeping personal data for even one day longer than prescribed by the organisation’s established retention period constitutes a violation of the obligation to delete personal data that is no longer necessary for the purpose.
• Documented procedures for regular follow-ups on whether personal data is deleted in accordance with the established retention periods must be in place, even when deletion is carried out automatically.

These key takeaways call for organisations to thoroughly consider their retention periods, to document the reasoning behind the retention periods and to be careful to not set retention periods that are too short/tight.

AI as an Area of Focus

The rapid development of artificial intelligence in recent years has led to an increased focus on the data protection risks of AI solutions. The primary area of focus in this regard are topics such as legal basis, data minimisation, purpose limitation and data subject rights. Risk assessments and data protection impact assessments serve as particularly important documentation as well as useful tools in assessing the risks associated with the processing and should be prioritised before new AI solutions are implemented.

Due to the large focus on AI in society in general, Datatilsynet also focuses on data protection in relation to AI solutions. Within the last couple of years, Datatilsynet has published both guidelines on the use of AI solutions and a data protection impact assessment template specifically for AI solutions to help organisations handle data protection risks in relation to AI. Further, Datatilsynet has planned their first inspections on the use of AI in 2025.

Impact of Other Digital Legislation

In Denmark, as in the rest of the EU, new digital legislation washes over organisations like a tsunami, setting new requirements and standards that force organisations to invest in digital compliance. As several of the new key EU regulations in this area are to some degree inspired by the GDPR, there is an increasing focus on exploiting some of the synergies between the GDPR and different new digital legislation such as the AI Act, NIS2, Cyber Resilience Act and Data Act. Using already established GDPR compliance as an anchor for the implementation of the new digital legislation helps bring down costs associated with the increasing amount of compliance-related work while at the same time establishing a more sustainable compliance programme enabling a higher degree of de facto compliance rather than paper compliance.  

At the same time, the increasing requirements for digital compliance call mean organisations need to treat digital compliance risk management as an important part of their enterprise risk management. This need becomes even more important because some new digital regulations, such as the NIS2 Directive, require that top management have the right knowledge, education and involvement in managing these digital risks.

Overall, the GDPR is expected to play an increasing role in Danish organisations’ risk management focus in the future.

The Danish Approach to GDPR Infringements

Datatilsynet has authority to express criticism, serious criticism, and issue injunctions and bans as sanctions. However, Datatilsynet lacks the authority to issue fines for non-compliance with the GDPR. Instead, Datatilsynet files a report with the police with a recommendation for the size of the fine, and the matter is thereafter handled as a criminal case.

In Denmark, the general legal tradition is that compensation is as a main rule only granted in case of material damages, and that the threshold for claiming damages for non-material damages is high.

Danish case law has recognised compensation for non-material damages associated with infringements of data protection legislation even before the GDPR entered into force, but the non-material damages should be of a certain qualified nature. This practice has also been followed in cases tried before the Danish courts after the GDPR entered into force.

Overall, current Danish case law reveals a gap between the Danish threshold for claiming compensation for non-material damages under Article 82 of the GDPR and case law in other European countries. The expectation, however, is that we will see an increase in Danish cases concerning compensation for non-material damages under Article 82 of the GDPR in the future.