Denmark

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Forslag til Lov om Supplerende Bestemmelser til Forordning om Beskyttelse af Fysiske Personer i Forbindelse med Behandling af Personoplysninger og om fri Udveksling af Sådanne Oplysninger (databeskyttelsesloven)

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

VARYING REQUIREMENT:

Minimum age lowered: Minimum age to provide consent is lowered to 13 years (Ch 3, § 6 Danish Act).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

VARYING REQUIREMENT:

Information Systems in the Public Interest: Processing personal data relating to criminal convictions and offenses is permitted if done solely for providing information systems with significant public benefit and when the processing is necessary for implementation of the systems. This information may not be disclosed to or processed by credit information agencies (Ch 3, § 9; Ch 4, § 15; Ch 5, § 20 Danish Act).

INFORMATION OBLIGATION (ART 13 & 14)

VARYING REQUIREMENT:

Exception to Transparency Requirement: A data controller does not need to provide notice to data subjects if this is in the interest of the data subject or another natural person (Ch 6, § 22 Danish Act).

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

SPECIFYING REQUIREMENT:

  1. Exception for Public Administration: Information processed for public administration as part of administrative cases may be exempted from the right of access in accordance with the Danish Public Administration Act.
  2. Exception for Courts: The right of information and access shall not apply to the processing of personal data made to the courts when they act in their capacity as courts.
  3. Exception for Scientific and Statistical Processing: Rights of access, correction, restriction, and objection shall not apply if the information is exclusively processed for scientific or statistical purposes.
  4. Exception for Criminal Investigation: There is no obligation for the controller to notify the data subject of a data breach if the notification of data subjects interferes with a criminal investigation as determined by the police.

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

DATA PROTECTION IMPACT ASSESSMENT (ART 35)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

VARYING REQUIREMENT:

Confidentiality: Data protection officers shall not unlawfully disclose or exploit information that they have become aware of in the performance of their duties (Ch 7, § 24 Danish Act).

CERTIFICATION (ART 42)

No Deviation

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

VARYING REQUIREMENT:

No Appeal Before Administrative Authority: The Data Inspectorate’s decisions cannot be appealed before another administrative authority (Ch 10, § 30 Danish Act).

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

No Deviation

PENALTIES (ART 84)

VARYING REQUIREMENT:

Criminal Penalties: Because the legal system of Denmark does not allow for administrative fines, the Danish Act provides for criminal penalties for violations of the GDPR, including fines or imprisonment for up to six months (Ch 12, § 41 Danish Act).

FREEDOM OF EXPRESSION & INFORMATION (ART 85)

No Deviation

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

VARYING REQUIREMENT:

Archiving: Information covered by the Danish Act may be transferred to archive storage in accordance with the rules of the Archive Act (Ch 3, § 14 Danish Act).

OBLIGATIONS OF SECRECY (ART 90)

VARYING REQUIREMENT:

DPO Obligation of Secrecy: Data protection officers that unlawfully disclose or exploit information obtained in the performance of their duties shall be fined, unless higher punishment is allowed by other legislation (Ch 12, § 41(4) Danish Act).

LOCAL DPA GUIDANCE & LEGAL SOURCES