Denmark - Data Protection
History of Data Protection in DENMARK
When the Act on Processing of Personal Data (Act no. 429 of 31 May 2000) entered into force on 1 July 2000, it marked the culmination of a lengthy and often fraught legislative process.
During the implementation of Directive 95/46/EC the question of whether the Directive was a tool of harmonisation, or whether it constituted a minimum standard that individual member states were free to build upon, exercised the Ministry of Justice and the Committee. In the end, they decided that some of the central provisions of the Directive were harmonising, but that others left each Member State scope to provide their own interpretation.
This is reflected in the 2000 Act, which replaced the Public Authorities' Registers Act and the Private Registers Act. Rather than working in a vacuum, the new Act forms part of a complex legal environment, with a battery of other acts, ministerial orders and guidelines supplementing it.
Summary of Data Protection in DENMARK
| Title of Data Protection Legislation | Act on Processing of Personal Data (Act no. 429 of 31 May 2000) |
| Name of supervisory authority | Office for Personal Data Protection |
| General Powers of supervisory authority | "The Danish Data Protection Agency exercises surveillance over processing of data to which the act applies. The Agency mainly deals with specific cases on the basis of inquiries from public authorities or private individuals, or cases taken up by the Agency on its own initiative." (From Danish Data Protection Agency website). See Part 16 of the Act. |
| Who has standing to notify the supervisory authority of breaches? | The data subject |
| What are the penalties for data controllers if they breach the law? |
Penalties are set out in Section 70-71 of the 2000 Act. They are fines or imprisonment unless other legislation provides for a more severe punishment. The right to carry on a business can also be removed if there are reasonable fears of continued abuse of the law. |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Yes. National identification numbers may be processed by official authorities without consent. Other data controllers may only process if consent has been given, or if the processing is carried out for scientific or statistical purposes. Disclosure to third parties is restricted. See Section 11 of the 2000 Act. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. However, there may be consent requirements in other laws. |
| Does the Data Protection Legislation cover the deceased? | Yes, as long as there is a need for protection. |
| Who is able to indirectly identify the data subject? | Anybody |
Laws and Regulations
- Act
on the Processing of Personal Data 2000 (429/2000)
[Danish version] - Guideline no. 126 of 10 July 2000 regarding the data subject’s rights according to chapters 8 to 10 of the Act on Processing of Personal Data- in Danish
- Guidelines on the Rights of Data Subjects (2000)- in Danish
- Act no. 503 of 24 June 1992 on a scientific ethical committee system and the handling of biomedical research projects
- Ministerial order on the giving of information to, and the obtaining of consent from, trial subjects in biomedical research projects (2000)
- Guidelines on notification of biomedical experiments to the ethics committee system (2004)
- Act on Patients Rights (1998)- in Danish
- Ministerial order on informed consent and communication of personal data in health care (1998)- in Danish
- Guideline on informed consent and communication of personal data in health care (1998)- in Danish
- Guideline on access to health information (1998)- in Danish
- Administrative Procedures Act (1985) - in Danish
- Freedom of Information Act (1985)- in Danish