Since May 25, 2018, radical changes to data privacy laws in the European Union have come into effect. The General Data Protection Regulation ("GDPR") has impacted businesses, regardless of whether they have a corporate presence in the EU or use EU-based assets to process data (which was the former test for EU data protection rules application). If a business offers goods or services to EU-based customers or monitors their behavior, it potentially is within the scope of the GDPR (please see below for more details).

The extra-territorial reach means that in practice, many businesses operating internationally need to adopt European data privacy standards, which are becoming the default global standards. The increased sanctions under the GDPR (up to 4% of global revenue or EUR 20 million, whichever is higher), together with general public expectations about data privacy, mean that compliance with data privacy laws cannot be treated as a minor regulatory issue. Potential fines and other penalties under the GDPR will put data privacy and cybersecurity at the same level as antitrust or anti-bribery and corruption programs on the corporate compliance agenda. This will require board-level awareness and leadership and the combined input from a range of professionals, including legal, IT, finance, procurement and vendor management and HR.

The GDPR is directly effective in all EU Member States without the need for further national legislation. However, the GDPR has specific areas in which the Member States are either permitted or required to enact national legislation to give effect to its provisions, for example, in relation to the procedure for imposing an administrative fine; the processing of special categories of personal data; the age of consent for processing personal data in the context of online services; and the restrictions and limitations on the application and exercise of data subject rights. 

Moreover, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (“e-Privacy directive”) contains provisions regarding the protection of privacy on the Internet.

In Denmark, the GDPR is complemented by the Act on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data ("Danish Data Protection Act"). The e-Privacy directive is transposed by Bekendtgørelse nr. 1148 af 9. December 2011 om krav til information og samtykke ved lagring af eller adgang til oplysninger i slutbrugerens terminaludstyr ("Cookiebekendtgørelsen") and the Danish Marketing Practices Act ("Markedsføringsloven").

• Court of Justice of the European Union ("CJEU"), No. C-311/18, Judgment of the Court, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, July 16, 2020
  • The CJEU upheld the validity of the European Commission's standard contractual clauses ("SCCs"), while indicating that, in order to use them, it is up to the data controller, where applicable in cooperation with the recipient of the transferred data, to assess whether, in practice and for the transfer envisaged, these SCCs ensure that the transferred data enjoy a level of protection essentially equivalent to that ensured in the European Union. If the effect of these clauses is limited or completely excluded by the legislation of the third country applicable to the transfer of such data, the data controller must implement additional measures to ensure the required level of data protection or notify the competent data protection authority of its intention to continue transferring data without these safeguards.
  • The CJEU analyzed U.S. legislation on access to data from internet service providers and telecommunications companies by U.S. intelligence services (Section 702 FISA and Executive Order 12 333). It concluded that the interference with the privacy of individuals whose data is processed by U.S. companies and operators subject to this legislation is disproportionate in relation to the requirements of the Charter of Fundamental Rights. In particular, the Court ruled that the collection of data by intelligence services is not proportionate and that the remedies, including judicial remedies, available to individuals with regard to the processing of their data are insufficient. The CJEU therefore invalidated the European Commission's adequacy decision.
• CJEU, No. C-131/12, Judgment of the Court, Google Spain SL and Google Inc. v. Spanish Data Protection Agency (AEPD) and Mario Costeja González, May 13, 2014
  • The CJEU has clarified that operators of internet search engines are now responsible for the processing of personal data appearing on web pages published by third parties.
  • Every data subject has the right to obtain the removal of personal data concerning them, i.e., the operator of a search engine must, at the request of said data subject, remove from the list of results obtained following a search carried out using a person's name, links to web pages published by third parties containing information relating to that person.
• CJEU, No. C-673/17, Judgment of the Court, Federal Association of Consumer Organizations and Consumer Associations – Verbraucherzentrale Bundesverband eV v Planet49 GmbH, October 1, 2019
  
  • In the European Economic Area ("EEA"), users of websites and apps cannot be tracked using cookies or similar technologies without their specific consent through active behavior. Pre-ticked checkboxes are not sufficient to constitute consent. Users must also be informed of the possibility of third-party access to cookies and the lifetime of cookies. 
• CJEU, No. C-40/17, Judgment of the Court, Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, July 29, 2019 
  
  • The manager of a website that inserts the Facebook “Like” button on said website becomes jointly responsible (with Facebook) for the processing of personal data of visitors to its website regarding the collection and transmission of such data to Facebook. If the manager wishes to rely on consent as a legal basis for processing, they must obtain it and inform visitors of their rights prior to the collection of data.
• CJEU, No. C-300/21, Judgment of the Court, UI v Österreichische Post AG, May 4, 2023 
  
  • In the event of a breach of the GDPR, the right to compensation is subject to three cumulative conditions, which are as follows: (i) a breach of the GDPR, (ii) material or non-material damage resulting from that breach, and finally (iii) a causal link between the breach and the damage. Based on these three cumulative conditions, a simple breach does not in itself give rise to a right to compensation. Furthermore, the GDPR does not define the concept of “damage.” It merely states explicitly that both “material” and “moral” damage may give rise to a right to compensation, “without any threshold of seriousness being required” (§ 45).

The enforcement mechanisms in Denmark are described below. The most significant cases in Denmark to date include:

• Kræftens Bekæmpelse (SS-7513/2023-KBH) - 1 October 2024
  • In 2021, the Danish Data Protection Authority ("Datatilsynet") reported the Danish Cancer Society ("Kræftens Bekæmpelse") to the police with a proposed fine of DKK 800,000 for failure to comply with the requirement to implement appropriate security measures. This was the result of four security breaches, caused by two thefts of computers in the autumn of 2019 and two phishing attacks in the spring of 2020. According to Datatilsynet, hard disk encryption and multi-factor authentication (MFA) were not applied. However, on 1 October 2024, the City Court of Copenhagen ("Københavns Byret") imposed a fine of DKK 75,000 on Kræftens Bekæmpelse for insufficient security measures, thereby significantly reducing Datatilsynet's proposed fine, partly due to the nature of Kræftens Bekæmpelse as a non-profit organization rather than a commercial enterprise.
• Taxa 4x35 (SS-185/2023-OLR) - 30 April 2025
  • In 2019, Datatilsynet reported the company Taxa 4x35 to the police with a proposed fine of DKK 1,200,000. This was the first time the Authority had proposed a fine under the data protection rules in Denmark. During a supervisory visit, Datatilsynet found that Taxa 4x35 had failed to fulfill its obligation as a data controller to ensure that personal data was not stored in a way that allowed the identification of data subjects for longer than necessary. The company had stored information on customers' phone numbers and location data collected in connection with 8,873,333 registered taxi rides from before 1 October 2016, as part of product and business development. This was despite the fact that the numbers only functioned as ID numbers in their system, and the purpose of storing these after two years could have been achieved by using a unique, non-personally identifiable ID number. The proposed fine was reduced by the District Court of Frederiksberg ("Retten på Frederiksberg") to DKK 300,000 because the Court did not find it proven that Taxa 4x35 had intentionally stored the data in a way that provided an economic benefit or avoided a loss. On 30 April 2025, the Eastern High Court ("Østre Landsret") increased the fine to DKK 500,000 due to the seriousness of the infringement, which is considered a severe fine in the context of current Danish case law. However, the Court took into account the size of the company, being a small business with only 35 employees and a turnover below DKK 60 million.
• ILVA (still pending)
  • In 2019, Datatilsynet proposed a fine of DKK 1.5 million against the company IDdesign A/S ("ILVA") for failure to erase personal data concerning approximately 385,000 customers during the period between May 2018 and January 2019 in a legacy system. The company had informed Datatilsynet that no data retention policy was implemented in the system. The proposed fine was based on the turnover of the entire group of the undertaking, the Lars Larsen Group. In its judgment in February 2021, the District Court in Aarhus ("Retten i Aarhus") reduced the proposed fine to DKK 100,000, as ILVA had acted negligently. The fine was calculated based on the turnover of ILVA alone and not the entire Lars Larsen Group. In the appeal before the Western High Court ("Vestre Landsret"), the Court submitted a request for a preliminary ruling to the Court of Justice of the European Union ("CJEU") in June 2023 concerning the interpretation of the term "undertaking" in Article 83(4)-(6) of the GDPR. On 13 February 2025, the CJEU in Case C-383/23 confirmed that the maximum amount of the fine is to be determined on the basis of a percentage of the undertaking's total worldwide annual turnover, as the term "undertaking" corresponds to Articles 101 and 102 TFEU. The final judgment from the Western High Court is still pending.

Personal Data

The GDPR regulates the processing of personal data within the meaning of Article 4.1 of the GDPR, i.e. any information relating to an individual who can be identified, either directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR does not apply, however, to fully anonymized or aggregated data where a living individual cannot be identified.

Sensitive Data

Sensitive data is a special category of personal data that is subject to a higher level of protection under Article 9.1 of the GDPR.

This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Data relating to criminal convictions or offenses are subject to specific protection under the GDPR and may only be processed under the control of official authority or where authorized by Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

Personal data and sensitive data are protected by the GDPR through a set of principles and technical obligations designed to ensure their confidentiality, integrity, and availability throughout their lifecycle.

Under GDPR, processing of personal data is subject to:

• the main principles set forth in Article 5.1 of the GDPR: lawfulness, fairness and transparency; purpose limitation; data minimization and accuracy; storage limitation; and integrity and confidentiality;
• existence of a valid legal basis for the processing (GDPR, Article 6);
• enhanced protection of sensitive data (GDPR, Article 9);
• provision of complete and transparent information to data subjects (GDPR, Articles 12 to 14);
• possibility given to data subjects to exercise their rights;
• data protection by design and by default (GDPR, Article 25);
• documenting relations with data processors (GDPR, Article 28);
• inclusion of the processing in a record of processing activities (as a data controller or processor) (GDPR, Article 30);
• security obligations (GDPR, Article 32); and
• notification of personal data breaches to he supervisory authority where there is a risk for the data subject (GDPR, Article 33) and communication to the data subject when the risk is high (GDPR, Article 34).

All of these elements ensure optimal protection of the data collected.

Section 8 of the Danish Data Protection Act sets out specific protection measures for data processing relating to the prevention and detection of criminal offenses, criminal investigations and prosecutions, or the execution of criminal penalties, and the free movement of such data.

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.

The GDPR’s obligations primarily apply to data controllers, defined as any natural person, corporate entity or other legal person, public authority, agency or other body that determines the purposes and means of data processing (alone or together with others). It also provides for certain direct obligations on data processors, which are any natural person, corporate entity or other legal person, public authority, agency or other body that processes personal data on behalf of the data controller. 

The GDPR applies to:

• The processing of personal data in the context of the activities of a data controller’s or data processor’s establishment in the EU (i.e., implying the effective and real exercise of activity through stable arrangements), regardless of whether the data is processed in the EU or not or regardless of whether the data relates to EU residents or not. 
• The processing of personal data of persons within the EU by data controllers or data processors who are established outside the EU, where the processing is related to:
  • the offering of goods or services to such data subjects in the EU (irrespective of whether payment is required); or
  • the monitoring of the behavior of such data subjects as far as the behavior takes place in the EU.

In accordance with Article 4.2 of the GDPR, data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The processing of personal data is not necessarily computerized: paper files are also concerned and must be protected under the same conditions.

Data processing must have a purpose, a specific aim determined prior to the collection and use of the data.

Under the GDPR, a data controller must comply with the following principles under Article 5:

• Lawfulness, Fairness and Transparency – the data shall be processed lawfully (i.e., based on one of the six specified legal bases), fairly and in a transparent manner (e.g., pursuant to a privacy policy that meets the requirements of the GDPR) in relation to the data subject;
• Purpose Limitation – the data
  
  • shall be collected for specified, explicit and legitimate purposes; 
  • shall not be further processed in a manner incompatible with those purposes.
• Data Minimization – the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed or are further processed;
• Accuracy – the data shall be accurate and, where necessary, kept up to date;
• Storage Limitation – the data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed; 
• Integrity and Confidentiality – the data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures; and 
• Accountability – The data controller shall be responsible for and be able to demonstrate compliance with the above principles.

To be processed lawfully, the GDPR requires that personal data processing are based on one of the specified legal bases, which include the following:

1. Consent

Personal data may be processed based on the data subject’s specific, freely given and informed consent.

• such consent must be provided by way of “a statement or by a clear affirmative action”(pre-ticked boxes and implied consent fall short of the standard);
• Data subjects have the right to withdraw their consent at any time and in an easy manner.

The controller is under an obligation to demonstrate the data subject’s consent where the processing is based on consent.  

The controller is under an obligation to demonstrate the data subject’s consent where the processing is based on consent.  

Consent from a child in relation to online services will only be valid if authorized by a parent or guardian. According to Article 8 of the GDPR, a child can consent from 16 years old, though the Member States may reduce this age to 13 years old. 

In this context, Denmark has reduced the age of consent to 15 years old.

2. Legitimate Interests

A data controller may process personal data based on its legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.  

The data controller must, however, inform the data subject of the particular legitimate interest pursued and the data subject has the right to object to the legitimate interest-based processing on grounds particular to his or her situation (see Right of Objection below). 

Public authorities may not rely on this legal basis in the performance of their tasks.

3. Contractual Necessity

Personal data may be processed where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering a contract. The processing must, however, be necessary to contract performance rather than merely facilitative. 

4. Legal Obligation

A data controller may process personal data where it is necessary to comply with a legal obligation to which it is subject. 

5. Vital Interest of the Data Subject

The data controller may process personal data where it is necessary to protect the vital interests of the data subject or another natural person. 

6. Public Interest or in the exercise of Official Authority

The data controller may process personal data where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

Special Categories of Personal Data

The processing of special categories of personal data is prohibited, except where it relies on one of the exceptions set out in Article 9:

1. The data subject has given explicit consent;

2. Processing is necessary for compliance with obligations or exercising rights under employment and social security and social protection laws, as set out in EU or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the rights and freedoms of data subjects;

3. Processing is necessary to protect the vital interest of the data subject or another natural person where the data subject is physically or legally incapable of giving consent;

4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a political, philosophical, religious or trade union foundation, association or not-for-profit body and relates to the personal data of its members, former members and persons in regular contact, only which are not disclosed outside without consent;

5. The personal data processed are manifestly made public by the data subject;

6. Processing is necessary for the establishment, exercise or defense of a legal claim or whenever courts are acting in their judicial capacity;

7. Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law, which is proportionate, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the rights and interests of the data subjects;

8. Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or Member State law or pursuant to a contract with a health professional;

9. Processing is necessary for reasons of public interest in the area of public health on the basis of EU or Member State law;

10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes on the basis of EU or Member State law.

Member States may have further conditions with regard to the processing of genetic data, biometric data or data concerning health.

Please note that in Denmark, the Danish Data Protection Act is supplemented by specific legislation, which applies inter alia to health research, clinical trials, and the hosting of health data. 

In addition to these special categories of data mentioned in Article 9, Member States may also further determine the specific conditions for the processing of a national identification number or any other identifier of general application.

In Denmark, Section 11 of the Danish Data Protection Act determines the specific categories of data controllers allowed to process the social security number and the purposes for which it can be processed. 

According to Section 11(1), public authorities may process data concerning identification numbers for the purpose of unique identification or as file numbers. 

Private individuals and entities may process such data pursuant to Section 11(2), where this follows from the law, the data subject has given consent in accordance with Article 7 of the GDPR, or the processing is carried out solely for scientific or statistical purposes or if it is a matter of disclosing an identification number where such disclosure is a natural element of the ordinary operation of enterprises etc. of the type in question and the disclosure is of decisive importance for unique identification of the data subject, or the disclosure is demanded by a public authority. 

Furthermore, data concerning identification numbers may be processed by private individuals or entities if the conditions laid down in Section 7 are satisfied. This applies where the conditions for processing personal data laid down in points a), c), e) or f) of Article 9(2) of the GDPR have been complied with. Alternatively, processing may be necessary for the purposes of meeting and respecting the data controller's or the data subject's labour law obligations and specific rights, or for purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of medical and health care services. In the latter case, the data must be processed by a health professional subject to the law to the obligation of professional secrecy. In addition, reasons of substantial public interests may constitute a basis for processing, provided that authorization has been granted by Datatilsynet. 

It should be noted that an identification number may not be made public by private individuals or entities unless consent has been given in accordance with Article 7 of the GDPR. 

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.

Risk-Based Approach 

Data controllers must also have “appropriate technical and organizational measures” in place to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, taking a risk-based approach (Article 24). This requires that the controller takes account of the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The measures must be reviewed and updated where necessary and shall include the implementation of appropriate data protection policies.  

Privacy by Design and Privacy by Default

The GDPR also introduces new concepts of ‘privacy by design’ and ‘privacy by default’ under Article 25. This requires that a controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. That obligation applies to:

• the amount of personal data collected;
• the extent of their processing; and 
• the period of their storage and their accessibility. 

The GDPR requires that “appropriate technical and organizational measures” are in place to protect the security of personal data and that personal data not be retained for longer than is necessary for the purpose or purposes for which the data are processed.

Article 32 provides some detail on the standards that controllers and processors should take into account in determining appropriate security measures against unauthorized or unlawful processing, accidental damage, destruction or loss of data. The data controller must take into account:

• the state of the art; 
• the cost of implementing the measures; 
• the nature, scope, context and purposes of processing; and
• the risk of varying likelihood and severity for rights and freedoms of the data subject posed by the processing, in particular, those presented against unauthorized or unlawful processing, accidental damage, destruction or loss of data.

The GDPR notably states that pseudonymization and encryption should be considered where appropriate and that controllers maintain system resilience and security testing, backup, recovery and continuity measures.

Data controllers and data processors must ensure all of their employees comply with the security measures in place and not process personal data other than on the instructions of the controller.

Personal data may not be kept for longer than is necessary for the specified purpose or purposes for which it was collected and a data retention procedure or policy should be implemented in this respect. 

Under the GDPR, data subjects have enhanced rights in relation to their personal data, most of which only apply in specific circumstances. 

The data controller shall provide information on action taken on a request within one month of receipt, which period may be extended by two further months where necessary, taking account of the complexity and number of requests and provided that the controller informs the data subject of such extension within one month of the request. 

Where requests are manifestly unfounded or excessive, in particular, because of their repetitive character, the data controller may charge a “reasonable fee based on administrative costs” or refuse the request.

Right of Access 

The data subject can ask a data controller for a copy of his or her personal data being processed by the data controller. 

Right of Rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed.

Right of Erasure

In certain circumstances, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.

Right of Restriction of Processing

The data subject has the right to obtain from the controller restriction (i.e. suspension) of the processing in certain circumstances, such as where the accuracy of the data is being contested, the processing is unlawful or the data subject has objected to the processing. 

Right to Data Portability

The right to data portability of personal data is the right to receive the personal data provided by the data subject to the controller (on the basis of consent or contractual necessity) in a structured, commonly used and machine-readable format and to transmit that data to another controller.

Right to Object

The data subject has the right to object, on grounds relating to his or her particular situation, to the processing of the personal data based on the performance of a task carried out in the public interest or for the legitimate interests of the controller or a third party.

The controller must no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. 

Where personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of his personal data at any time.

Automated Decisions with Legal or Significant Effects

Data subjects have a right not to be subject to automated decision-making in respect of the personal data, including profiling, with no human intervention where such a decision produces legal effects concerning the data subject or similarly significantly affects him or her (e.g., creditworthiness check or e-recruitment). This does not apply where explicit consent is provided, the processing is authorized by EU or Member State law or the processing is necessary for the purposes of entering into or performing a contract with the data subject. 

Pursuant to Article 23 of the GDPR, these data subject rights may be subject to limitations or restrictions as prescribed by Member State law where necessary and proportionate to safeguard various matters specified in Article 23, ranging from issues of national security to the enforcement of civil law claims.

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.

Consent is one of the legal bases provided for by the GDPR on which the processing of personal data may be based. It is defined in Article 4.11 of the GDPR as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The consent of the individual is systematically required for certain types of processing, which are governed by specific legal provisions: for example, to carry out commercial prospecting by email.
Under Article 7 of the GDPR, four cumulative criteria must be met for consent to be valid. Consent must be:

1. Free: consent must not be coerced or influenced. The individual must be offered a genuine choice, without suffering any negative consequences if they refuse;
2. Specific: consent must correspond to a single processing operation for a specific purpose;
3. Informed: to be valid, consent must be accompanied by a certain amount of information communicated to the person before they consent (the identity of the data controller, the purposes pursued, the categories of data collected, the existence of a right to withdraw consent, where applicable: the fact that the data will be used in the context of automated individual decisions or that it will be transferred to a country outside the European Union);
4. Unambiguous: consent must be given by a clear statement or other affirmative act. There must be no ambiguity as to the expression of consent.
   
   For example, the following methods of obtaining consent cannot be considered unambiguous: pre-ticked or pre-activated boxes, “bundled” consent (where a single consent is requested for several separate processing operations), or inaction (e.g., failure to respond to an email requesting consent).

The data subject has the right to withdraw consent, and as such, they must be able to withdraw their consent at any time, using a method that is as simple as the method used to obtain consent (for example, if consent was obtained online, it must also be possible to withdraw consent online).

In addition, the data controller must be able to demonstrate at any time that the individual has given valid consent. To do so, the data controller must document the conditions under which consent was obtained.

When the child is under 16 years of age, processing is only lawful if consent is given or authorized by the holder of parental responsibility over the child. The GDPR allows Member States to vary the age below which consent must be given by parents between 13 and 16 years.

In Denmark, the age is 15.

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.

Authorization to use personal data is managed through the selection and justification of a legal basis for each processing operation and, in certain cases, through the collection of explicit consent.

The GDPR requires that all processing of personal data be based on at least one of the six legal bases provided for in Article 6.

Authorization to use data does not therefore necessarily imply consent from the data subject, provided that the use is based on another legal basis provided for in Article 6.

In the case that an entity that has collected data wishes to reuse it for purposes other than those initially specified, the consent of the data subject must be obtained again.

The use of consent boxes that are checked by default is prohibited. Furthermore, silence on the part of the person concerned (e.g., the person visits the website without accepting or refusing cookies) does not constitute consent.

The GDPR also restricts the transfer of personal data to a country outside the European Economic Area ("EEA") unless certain conditions or safeguards are in place. 

Transfer to Adequate Countries Outside the EEA

Transfers of data to a third country or international organization are permitted where the European Commission has taken an adequacy decision under Article 45 of the GDPR that there is an adequate level of protection of personal data in that country or organization.

The existing list of countries that have been approved by the EU Commission will remain in force. Transfers of personal data to the following countries can take place without too much concern:

• Andorra
• Argentina
• Canada (partial adequacy decision for personal data transferred to recipients subject to the Canadian Personal Information Protection and Electronic Documents Act 2000) 
• Faroe Islands
• Guernsey
• Israel
• Japan
• Jersey
• New Zealand
• Republic of Korea
• Switzerland
• The Isle of Man
• United Kingdom
• Uruguay

While the Privacy Shield was a partial adequacy decision covering transfers to organizations that complied with the Privacy Shield Principles in the United States, it has been invalidated by the decision of the European Court of Justice in case C-311/18 dated 16 July 2020 ("Schrems II decision") and is not applicable anymore.

In the wake of the invalidation of the Privacy Shield, the European Commission issued an adequacy decision for the EU–US Data Privacy Framework (“DPF”). Such transfers can occur freely with U.S. companies that are certified under the DPF, without needing additional safeguards. However, some concerns were raised regarding the consequences of the U.S. surveillance laws, and there is a belief that the DPF might be invalidated by the European Court of Justice.

Transfer to Non-Adequate Countries

Where the country to which the personal data will be transferred does not appear on an approved list of countries (such as the transfer to U.S. companies not certified under the DPF), the transfer of personal data can still take place only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies are available. 

The appropriate safeguards may be provided by:

• a legally binding and enforceable instrument between public authorities or bodies; 
• binding corporate rules in accordance with Article 47; 
• so-called standard contractual clauses adopted by the European Commission or the supervisory authority, which incorporate the EU standards into the contract;
• an approved code of conduct pursuant to Article 40, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or
• an approved certification mechanism pursuant to Article 42, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; 
• binding corporate rules pursuant to Article 47.

The standard contractual clauses are the most commonly used appropriate safeguard mechanism. However, according to the Schrems II decision, controllers relying on standard contractual clauses or BCRs are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area. Where necessary, supplementary measures (i.e., legal, technical or organizational measures) have to be implemented to ensure such an essentially equivalent level of protection.

The GDPR also provides for derogations to the prohibition of personal data transfers, for instance, where the data subject has explicitly consented to the transfer, after having been informed of the possible risks due to the absence of an adequacy decision. 

The GDPR does not relate to “incidents” related to personal data, but to “breaches”, i.e., any security incident, whether malicious or not, and occurring intentionally or unintentionally, that compromises the integrity, confidentiality, or availability of personal data.

In accordance with Article 4.12 of the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

The GDPR introduces a compulsory requirement for controllers to report data breaches to the competent national supervisory authority(ies) (please see below) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects.  

A risk assessment will, therefore, need to be taken by the controller in evaluating whether the obligation to report arises. Where a breach poses a high risk to data subjects, the GDPR also requires that the controller communicate the breach to the affected data subjects without undue delay. Regardless of whether notification to the regulator is made or not, controllers must document all personal data breaches, comprising the facts, its effects and remedial action taken. 

Where a processor has suffered a personal data breach, the processor must notify the controller “without undue delay” after becoming aware of the breach.

Providers of publicly available electronic communications services in public communications networks in the EU are subject to a mandatory reporting obligation in accordance with EU Regulation No 611/2013.

Supervisory Authority

Article 55, GDPR, provides that each national supervisory authority has the competence to act in relation to matters in its territory. In Denmark, the supervisory authority is the Datatilsynet: https://www.datatilsynet.dk/. 

In Denmark, the Intelligence Oversight Board ("TET") and the Intelligence Services Committee of the Danish Parliament monitor the surveillance techniques used by Danish intelligence services and verifies that any infringement of the right to privacy is proportionate.

Lead Supervisory Authority

In circumstances where a controller or a processor is engaged in “cross-border processing” (being the processing of personal data which takes place in the context of activities of establishments of that controller or processor in more than one Member State or processing which substantially affects or is likely to substantially affect data subjects in more than one Member State), then the supervisory authority of the main or single establishment of the controller or processor shall have the competence to act in respect of such cross-border processing.

Tasks and Powers of a Supervisory Authority

The GDPR provides for enhanced, wide-ranging powers of enforcement to supervisory authorities, who may impose substantial fines for breaches of the GDPR. 

The tasks of a supervisory authority are set out in Article 57 of the GDPR and include, among others:

• monitoring and enforcing the application of the GDPR; 
• promoting awareness;
• handling complaints; 
• conducting investigations;
• cooperating with other supervisory authorities;
• administrative tasks such as drawing up codes of conduct, reviewing certifications and approving standard contractual clauses for transfers of personal data outside the EEA. 

The powers of a supervisory authority are set out in Article 58 and include, among others:

• ordering the production of information from controllers and processors;
• conducting investigations in the form of audits, including onsite investigations;
• issuing warnings, reprimands, and enforcement orders, 
• ordering the suspension or ban of non-compliant processing activities;
• the imposition of administrative fines; and
• advising, for example, in relation to high-risk processing or issuing opinions.

The European Data Protection Board ensures that EU rules designed to protect data are applied consistently across all EU countries, so that all citizens have the same rights, regardless of where they live.

Finally, the European Commission and the CJEU contribute to the interpretation and enforcement of the GDPR.

Administrative Fines

The imposition of administrative fines by a supervisory authority is subject to appropriate procedural safeguards in accordance with Union or Member State law and therefore, the mechanism and procedure for imposing a fine may vary from Member State to Member State.

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.

The level of administrative fines is set out in Article 83, together with examples of aggravating and mitigating factors in determining whether to impose a fine and, if so, the level of such fine. In each case, the supervisory authority is to ensure that the imposition of fines is effective, proportionate and dissuasive. The amount of a fine depends on the nature of the infringement in question, with the applicable thresholds being up to:

• 2% of the total global annual turnover of an undertaking for the preceding financial year or EUR 10,000,000, whichever is higher; or
• 4% of the total global annual turnover of an undertaking for the preceding financial year or EUR 20,000,000, whichever is higher.

Direct marketing to individuals is currently regulated at a Member State level under national legislation that gives effect to the e-Privacy Directive ("Directive 2002/58/EC"). 

The use of publicly available electronic communications services to send unsolicited communications or to make unsolicited calls for the purpose of direct marketing is restricted. Generally, such communications by electronic means require consent or are subject to a right to opt out.

In Denmark, Section 10 of the Danish Marketing Practices Act ("Markedsføringsloven")  requires consent to send direct marketing electronic communications (e.g. emails and texts), except (i) if the solicitation is not of a commercial nature (e.g. if related to charity), or (ii) if the contact details have been collected directly from the consumer on the occasion of a sale, and if the marketing solicitations concerns products or services similar to those already supplied by the same legal entity, provided that the consumer is expressly enabled to oppose to marketing solicitations. 

In January 2017, the European Commission published its proposal for an e-Privacy Regulation, which will replace and modernize the existing e-Privacy Directive and should particularize and complement the GDPR as its lex specialis on the protection of privacy and confidentiality of electronic communications. On February 10, 2021, the Council of the European Union finally agreed on a draft text of the e-Privacy Regulation, along with a mandate for its Presidency to start negotiations with the European Parliament in order to reach a consensus thereon. The 1st political trilogue concerning the ePrivacy regulation took place on May 20, 2021, under the Portuguese Presidency. The e-Privacy scope of application is set to have a broader reach than the GDPR, as inter alia concerns EU end-users – to whom electronic communications data (including both the content and metadata thereof) refer – regardless of whether they are natural or legal persons. On February 11, 2025, the European Commission disclosed in the “2025 Work Programme” that it will withdraw the proposal for a new ePrivacy regulation (replacing the current ePrivacy Directive). The current ePrivacy Directive and its national transposition laws will remain in force.

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.

Healthcare sector

In accordance with Article 9.1 of the GDPR, the processing of health data is prohibited in principle, except in the specific cases provided for in Article 9.2.

Judicial sector

Section 8of the Danish Data Protection Act sets out specific protection measures for data processing relating to information on criminal offenses.

Article 37 of the GDPR sets out the procedures for appointing a Data Protection Officer ("DPO").

This appointment is mandatory when:

• The processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 
• The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or 
• The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

The DPO must have legal and technical expertise in personal data protection and a good understanding of the business sector, internal organization, particularly processing operations, information systems, and data protection and security requirements.

In addition, the DPO must have sufficient resources to perform their duties (Article 38.2, GDPR), which means that they must:

• be involved in all matters relating to personal data protection;
• have sufficient time to perform their duties;
• have adequate material and human resources;
• have access to relevant information;
• be able to maintain their specialized knowledge;
• be easily accessible to the persons concerned.

Finally, the DPO must be able to act independently (Article 38.3, GDPR), which means:

• not being in a conflict of interest if their role as a delegate is combined with another role;
• be able to report on their actions to the highest level of the organization's management;
• not be penalized for performing their duties as a delegate;
• not receive instructions in the performance of their duties as a delegate.

The tasks assigned to the DPO are detailed in Article 39 of the GDPR and mainly involve advising, informing, monitoring, and managing relations with supervisory authorities.

Under the GDPR, archiving and documentation obligations are part of the principle of accountability, which means that every organization must be able to demonstrate its compliance with the GDPR at any time, imposing specific requirements for document retention and maintenance.

Any entity that processes data must document and regularly update its records demonstrating compliance with the GDPR.

It is necessary to document the processing of personal data in the following documents:

• Records of data processing activities (both for data controllers and data processors) (Article 30, GDPR);
• DPIAs for, if applicable,  processing operations likely to result in high risks to the rights and freedoms of individuals (Article 35, GDPR);
• Where there are data transfers outside the European Union, appropriate documentation, depending on the context of such transfer, e.g., standard contractual clauses, BCRs, and certifications (Articles 28 and 42, GDPR).

It is also necessary to keep the information provided to data subjects, the templates used to obtain consent from data subjects, and the procedures put in place for data subjects to exercise their rights.

Finally, contracts that define the roles and responsibilities of those involved in processing must also be archived, including contracts with subcontractors, internal procedures in the event of data breaches (Article 33, GDPR), and evidence that data subjects have given their consent when the processing of their data is based on this basis.

With regard to the archiving of personal data, Article 5.1(e) GDPR imposes a limited retention period for data, i.e., a period not exceeding that necessary for the purposes for which they are processed. These retention periods must be documented in the processing records, internal document management policies, and information notices to data subjects.

Article 35 of the GDPR requires that a Data Protection Impact Assessment ("DPIA") be carried out when a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

The DPIA is carried out by the data controller, in collaboration with the DPO (if a DPO has been appointed). If a data processor is involved in the processing, they must provide assistance and the information necessary to carry out the DPIA.

The DPIA shall be required in particular in the following cases:

• a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 
• processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or 
• a systematic monitoring of a publicly accessible area on a large scale. 

In addition, if the processing meets at least two of the nine criteria set out in the G29 Guidelines, a DPIA is mandatory:

• evaluation/scoring (including profiling);
• automated decision-making with legal or similar effects;
• systematic monitoring;
• collection of sensitive or highly personal data;
• large-scale collection of personal data;
• cross-referencing of data;
• vulnerable individuals (patients, elderly people, children, etc.);
• innovative use (use of new technology);
• exclusion from the enjoyment of a right or contract.

In Denmark, the Datatilsynet has published an additional list of eight types of processing operations for which a DPIA is required.

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.

The DPIA shall contain at least:

• a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
• an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 
• an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
• the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned. 

The DPIA must be conducted before processing operations begin. It should be started as early as possible and updated throughout the treatment cycle.

It is also necessary to review the DPIA regularly to ensure that the level of risk remains acceptable throughout the treatment, as the environment, particularly the technical environment, will evolve, requiring adjustments to the measures implemented.

In Denmark, in certain circumstances, the DPIA must be submitted to the Datatilsynet.

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.

In the context of the GDPR, a third-party vendor refers to any external entity that processes personal data on behalf of another organisation. This may include cloud service providers, marketing agencies, payment processors, and IT support companies, among others. As these vendors handle personal data, they become an extension of the organisation and must adhere to the same compliance requirements.

Cases where the third-party vendor is considered a data processor:

• The third-party vendor may be considered a data processor if it processes personal data solely in accordance with the instructions of the data controller and does not use the data for its own purposes (hosting, customer support, emailing, data analysis).
• A third-party vendor may only reuse personal data for its own purposes if such reuse is compatible with the initial processing and the data controller has given its written authorization.
• This entity can be considered a subcontractor as defined in Article 4 of the GDPR, i.e., a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 

Cases where a third-party vendor cannot be considered a data processor:

• The third-party vendor may be considered an independent data controller if it decides on the purposes and means of the processing itself or if it is jointly responsible for the processing with the data controller (advertising service provider that collects data for its own targeting purposes).
• In this case, the third-party vendor must obtain the consent of the data subjects in order to legally use their data for a purpose other than that initially intended.

In all cases, before entering into a contract with the third-party vendor, you must:

• assess its level of security and compliance (certifications);
• ensure that appropriate technical and organizational measures are in place;
• analyze the risks associated with the processing (nature and sensitivity of the data, purposes, transfers abroad);
• in the event of international transfers, ensure that guarantees equivalent to those of the GDPR are in place;
• ensure that an effective data breach management policy is in place (rapid notification, obligation to cooperate, security tools).

Article 83 of the GDPR sets out the general conditions for supervisory authorities to impose administrative fines on controllers or processors of up to EUR 20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Breaches of the provisions of the data protection laws in Denmark may be sanctioned by formal reprimands and/or orders, which constitute the outcome in the majority of the Danish Data Protection Agency's ("Datatilsynet") decisions. 

In Denmark, administrative authorities such as Datatilsynet cannot impose administrative fines. Instead, Datatilsynet refers both private entities and public authorities to the police for the purpose of imposing fines. The police assess the fine recommendation and, together with the Prosecution Service, subsequently bring charges and prosecute the case as a criminal matter before the courts. Danish case law on the imposition of fines remains limited. However, over time, the development of fine practices is expected to enable the issuance of penalty notices. 

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.

The GDPR does not impose any obligation to carry out a compliance audit, unlike DPIA, which may be mandatory in certain situations.

However, Articles 5 and 24 of the GDPR impose a principle of accountability on data controllers. As such, they must implement appropriate technical and organizational measures and must be able to demonstrate compliance with the processing at any time.

Thus, the implementation of regular internal audits ensures that the obligations imposed by the GDPR are being met and identifies any unauthorized practices so that they can be stopped.

In the event that the data controller uses a subcontractor, the latter must make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (Article 28.3(h) GDPR).

Finally, data protection authorities have a right similar to an audit right, allowing them to monitor an entity's compliance and request the provision of documents to prove it (Article 58 of the GDPR).

The use of cookies or similar technologies that involve access to personal data is subject to dual regulation in Denmark and therefore falls under the supervisory competence of both the Danish Data Protection Agency ("Datatilsynet") and the Agency for Digital Government ("Digitaliseringsstyrelsen").

Datatilsynet supervises the processing of personal data, including processing resulting from the storage of and access to personal data by cookies or similar technologies, as governed by the data protection rules. Digitaliseringsstyrelsen supervises the placement of, or access to, information already stored on end-users' equipment, as regulated by Cookiebekendtgørelsen (as described above). Consequently, there is relevant practice from both authorities. 

Datatilsynet has primarily focused on the rules concerning consent, such as the DMI Decision (j.nr. 2018-32-0357), and on the use of cookie walls, as in the cases concerning Jysk Fynske Medier (j.nr. 2021-31-5553) and GulogGratis (j.nr. 2021-31-4871).

Conversely, Digitaliseringsstyrelsen focuses on cookie banners on websites and the information provided to users. For instance, it has issued orders to both Meta Platforms and Google LLC regarding their unlawful use of cookies and similar technologies on their services.   

Together, the two authorities launched a new guideline on the use of cookies and similar technologies in May 2025. This covers, inter alia, an explanation of such technologies (cookies, web beacons, device fingerprinting, etc.), how the two regulations overlap and differ, as well as practical examples. 

The European Commission issued a project of reform of the GDPR on 21 May 2025, which would notably exempt some data processors from the obligation to hold a record of data processing. This would apply to data processors who have less than 750 employees, and subject that the processing is not likely to result in high risk for the rights and freedoms of data subjects.

For detailed information on how this aspect of GDPR is enacted in Denmark, please contact Kromann Reumert directly.