Denmark: A Data Protection Overview

Introduction

In Denmark, like in the rest of Europe, data protection is a fast-developing area of practice, demanding ongoing focus from organisations to ensure compliance with requirements set out in legislation and established through the ever-developing practice. For organisations operating in Denmark, it is essential to understand how data protection is understood, interpreted and enforced in Denmark in order to navigate the risks associated with non-compliance within this legal discipline. In this article we delve into certain key focus areas and trends within data protection in Denmark.

Increased Focus on Security of Processing

Over the past years, the Danish Data Protection Agency (“Datatilsynet”) has had an increased focus on security of processing pursuant to Article 32 of the GDPR. This is, for example, evident through the large number of guidelines Datatilsynet has published on the topic over the last few years.

Datatilsynet interprets Article 32 as requiring organisations to carry out and document risk assessments to demonstrate compliance, with the focus on the risks that the processing poses to data subjects rather than risks to the organisation.

Security of processing is the topic on which Datatilsynet has issued the most decisions with sanctions, and some of the largest fine claims in Denmark relate to missing or inadequate risk assessments and data protection impact assessments.

The primary challenge organisations face is producing adequate documented risk assessments that are sufficiently thorough and updated, including in relation to the more technical aspects of the processing activities. This necessitates a close collaboration between legal data protection stakeholders and IT security stakeholders in the organisation.

The Danish Focus on Deletion of Personal Data

Datatilsynet has repeatedly focused on deletion of personal data, and the first major fine cases in Denmark have concerned failure to delete personal data. Danish cases have shown a strict approach to the obligation to delete personal data when it is no longer necessary.

Among other things, the Danish cases demonstrate that retention periods defined by an organisation itself are binding. Failure to comply with such periods constitutes a violation, even where a longer retention period could otherwise have been justified, and also where personal data is retained for even a single day beyond the established retention period. Datatilsynet has also emphasised the need for documented procedures to ensure and verify deletion, including in automated deletion setups.

These developments highlight the importance of carefully defining, documenting and operationalising retention periods.

AI as an Area of Focus

The rapid development of artificial intelligence has led to an increased focus on the data protection risks of AI solutions. The primary focus areas in this regard are topics such as legal basis, data minimisation, purpose limitation, transparency and data subject rights. Risk assessments and data protection impact assessments serve as particularly important documentation as well as useful tools in assessing the risks associated with the processing, and should be prioritised before new AI solutions are implemented.

Due to the large focus on AI in society in general, Datatilsynet also focuses on data protection in relation to AI solutions. Datatilsynet has, within the last couple of years, published guidelines on the use of AI solutions as well as a data protection impact assessment template specifically for AI solutions to help organisations handle data protection risks in relation to AI. Furthermore, Datatilsynet conducted its first AI inspections in 2025 and has stated that in 2026 it will further increase its focus in this area, particularly in relation to the healthcare sector’s use of decision-supporting AI in the treatment of patients and the use of AI to monitor citizens in care.

Interaction With Other EU Digital Legislation

In Denmark, like in the rest of the EU, new digital legislation washes over organisations like a tsunami, setting new requirements and standards, forcing organisations to invest in digital compliance. As several of the new key EU regulations in this area are to some degree inspired by the GDPR (risk-based compliance, documentation and governance), there is an increasing focus on exploiting some of the synergies between the GDPR and different new digital legislation such as the AI Act, NIS2, Cyber Resilience Act, Digital Services Act and Data Act.

Using already established GDPR compliance frameworks as an anchor for the implementation of the new digital legislation helps bring down costs associated with the increasing amount of compliance-related work while at the same time establishing a more sustainable compliance programme that ensures consistent risk management and enables a higher degree of de facto compliance rather than paper compliance. The expanding range of digital compliance requirements also makes it necessary to treat digital compliance risk management as a part of organisations’ enterprise risk management. This is further emphasised by the requirements for top management’s knowledge, education and risk management set out in some of the new digital regulation such as the NIS2.

Things have become even more interesting with the European Commission’s proposed new Digital Package (Digital Omnibus), which aims to simplify and potentially harmonise digital rules to gain greater significance. There is reason to monitor these developments closely.

Overall, the GDPR is expected to play an increasing role in Danish organisations’ risk management focus in the future.

The Danish Approach to GDPR Infringements

Datatilsynet has authority to express criticism, serious criticism, and issue injunctions and bans as sanctions. However, Datatilsynet does not have authority to issue fines for non-compliance with the GDPR. Instead, Datatilsynet files a report with the police with a recommendation for the size of the fine, and the matter is thereafter handled as a criminal case.

In Denmark, the general legal tradition is that compensation is, as a main rule, only granted in the case of material damages, and that the threshold for claiming damages for non-material damages is high.

Danish case law has recognised compensation for non-material damages associated with infringements of data protection legislation even before the GDPR entered into force, but the non-material damages should be of a certain qualified nature. This practice has also been followed in cases tried before the Danish courts after the GDPR entered into force.

Until now, current Danish case law reveals a gap between the Danish threshold for claiming compensation for non-material damages under Article 82 of the GDPR and case law in other European countries.

That said, recent case law indicates a possible shift in Denmark’s approach to non-material damages under the GDPR. Danish courts have recognised compensation for non-material damages without a de minimis threshold, while emphasising that such (minor) non-economic harm must be concrete and substantiated. With appeals pending before the Supreme Court, further clarification is expected.

An increase in Article 82 GDPR claims is likely, potentially reshaping the Danish compensation landscape, aligning it more closely with European standards and increasing organisations’ financial exposure.

This evolving landscape creates uncertainty about potential liability and may have economic and practical consequences for organisations. Organisations should therefore strengthen incident response procedures and maintain thorough documentation of security and compliance measures, as this can help rebut presumptions of fault under Article 82.