Data Protection in Denmark

From GDPRhub
Data Protection in Denmark
Dk.png
Data Protection Authority: Datatilsynet (Denmark)
National Implementation Law (Original): Databeskyttelsesloven
English Translation of National Implementation Law: English Translation
Official Language(s): Danish
National Legislation Database(s): Link
English Legislation Database(s): n/a
National Decision Database(s): n/a

Legislation[edit | edit source]

History[edit | edit source]

The first privacy laws in Denmark came with the Private Registers Act (Registerloven) and the Public Authorities' Registers Act (Lov om offentlige myndigheders registre), both in 1978. These acts were replaced in 2000 with the national implementation of Directive EC/95/46 through the Act on Processing of Personal Data (Persondataloven).

National constitutional protections[edit | edit source]

Privacy is mentioned in the Danish constitution § 72, which prohibits the confiscation and examination of letters, as well as the interception of postal,- telegraph,- and telephone communication without a judicial order, as well as § 71 which concerns personal liberty.

National GDPR implementation law[edit | edit source]

In Denmark the GDPR is implemented by the Databeskyttelsesloven (Data Protection Act).

Age of consent[edit | edit source]

The age of consent is 13 years under § 6 of the Data Protection Act.

Freedom of Speech[edit | edit source]

According to § 3(8) of the Data Protection Act, the Data Protection Act as well as Chapter II-VII and IX of the GDPR does not apply to processing that is exclusively for journalistic, artistic or literary purposes, with the exception of Article 28-32, which still applies.

Employment context[edit | edit source]

Personal data may be processed under Article 6 and Article 9 for the purpose of fulfilling employment law obligations and rights of the controller or data subject as laid down by other law or collective agreements, pursuant to § 12 of the Data Protection Act. In addition, personal data may be processed by the data controller or a third party, on the basis of the legitimate interest that arises from law or collective agreements, provided that the interests or fundamental rights of the data subject is not overridden, following § 12 (2).

In an employment context, processing of personal data may take place on the basis of consent in accordance with Article 7.

Research[edit | edit source]

According to § 10 of the Data Protection Act, special categories of data may be processed for the sole reason of statistical and scientific purposes. There are further restrictions to secure purpose limitation, as well as restricting disclosure to other parties.

Other relevant national provisions and laws[edit | edit source]

CCTV is regulated by a specific act (in DK) concerning the use of CCTV. The act concerns private individuals, but does not cover the use of CCTV by the government. As such, the use of CCTV by the government falls under the purview of the GDPR. Another notable side with the CCTV act is that it is under the jurisdiction of the police, and not the danish Data Protection Authority.

National ePrivacy Law[edit | edit source]

The ePrivacy Directive is implemented through several laws and execute orders, primarily the Act on Electronic Communications Networks and Services (Lov om elektroniske kommunikationsnet og -tjenester). The regulations regarding cookies are implemented in the Cookie Order (Cookiebekendtgørelsen).

Data Protection Authority[edit | edit source]

The Danish Data Protection Authority (Datatilsynet) is the national data protection authority for Denmark, with the notable exception in the area of CCTV, which falls under the jurisdiction of the police. The Danish Business Authority (Erhvervsstyrelsen) supervise cookies and telecommunication.

→ Details see Datatilsynet (Denmark)

Judicial protection[edit | edit source]

The Courts[edit | edit source]

The judicial system of Denmark is composed of a mostly unified, three-tiered court system, with the County Court in the first instance, the High Court in second instance, and the Supreme Court in the third and last instance.

As the administrative does not issue fines in Denmark, breaches under the GDPR are sent to the police with a suggested fine. The prosecution will then build a case against the defendant, and the proceedings will be decided by the courts under the general rules of criminal procedures pursuant to the Danish Administration of Justice Act. Estonia is the only other country where the fines are issued by the courts and not by the Data Protection Authority.