Support Centre

Denmark

Summary

Law: Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Danish data protection authority ('Datatilsynet')

Summary: Denmark implemented the GDPR through Act No. 502 of May 23, 2018 on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the Act), which is closely aligned with the GDPR and does not derogate at all in areas such as the appointment of a data protection officer, data retention, or data transfers. However, the Act exempts personal data processing covered by the Act governing information databases operated by mass media (only available in Danish) from the GDPR and the Act. The Danish data protection authority (Datatilsynet) is an active regulator and regularly publishes guidelines on various issues including data breach notification, data subject rights, and security of processing. Notably, Denmark was the first EU country to publish Standard Contractual Clauses for contracts between controllers and processors in line with Article 28 of the GDPR in the EDPB register.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview on the rules and guidelines for DPO contact registration across Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, and Greece.

In May 2019, the Court of Justice of the European Union (CJEU) delivered a judgment1 on the understanding of specific requirements under the EU Working Time Directive. More specifically, the CJEU ruled that an employer is required to have a system in place that allows registration of the employees' daily working time to ensure that all the requirements of the EU Working Time Directive are complied with. As a consequence of this judgment, the Danish Ministry of Employment presented an amendment to the Danish Working Time Act. Anna de Vos- Zehngraff, Mille Selbach Rasmussen, and Rasmus Martens, from Bruun & Hjejle Advokatpartnerselskab, take a look at this amendment and the implications of this on data protection. 

In a time when digital marketing and visual identity play crucial roles, using employee photos sparks complex questions concerning privacy and data protection. The complexity of this landscape is further emphasized by the ongoing development of rules and regulations. In this Insight article, Elsebeth Aaes-Jørgensen, Partner at Norrbom Vinding, delves into how employers can navigate the delicate balance between their need for visual representation and the essential considerations on how to avoid infringing employees' rights.

In March 2022, the Danish data protection authority ('Datatilsynet') issued its 'Guidance on the use of cloud' ('the Guidance')1. Birgitte Toxværd, Partner and Attorney-at-law at Horten Advokatpartnerselskab, chronologically dissects the Guidance and its updates, and discusses key takeaways in relation to data transfers and cloud computing.

On 29 October 2021, the Danish data protection authority ('Datatilsynet') published a guide on how to approach data processor audits. In the guide, the Datatilsynet sets out six supervisory concepts based on a risk assessment of the processing activities in question. The risk assessment uses a points scale, where the total score gives the data controller a sense of the risk associated with the processing, and which supervisory concept to choose when auditing the data processor. Camilla Sand Fink, Senior Associate and Head of the Data Privacy Team at CLEMENS Law Firm, reviews the Datatilsynet's guide and the central issues around auditing data processors.