🇩🇰General Data Protection Regulation in Denmark
A comprehensive guide to General Data Protection Regulation compliance for organisations operating in Denmark. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About General Data Protection Regulation
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
General Data Protection Regulation Enforcement in Denmark
Denmark's Datatilsynet takes a distinctive approach by frequently issuing formal reprimands and compliance orders before resorting to financial penalties, though it has increasingly imposed fines through the Danish court system (as Danish administrative authorities cannot directly impose GDPR fines — they must recommend fines to the police, who present cases to the courts). The Danish Data Protection Act (Act No. 502 of 23 May 2018) supplements the GDPR with provisions on processing of national identification numbers (CPR numbers), journalistic exemptions, and research data. The Datatilsynet has been active in auditing municipalities, healthcare providers, and educational institutions. Denmark sets the digital consent age at 13.
Data Protection Authority
Datatilsynet
Key Enforcement Focus Areas in Denmark
- Municipal and public sector compliance auditing
- Healthcare data processing
- CPR number (national ID) processing rules
- Educational institution data handling
- Judicial enforcement model (court-imposed fines)
Notable Enforcement Actions in Denmark
IDdesign A/S (ILVA/JYSK)
Retaining customer data for 5+ years beyond the stated retention period in over 300,000 customer records
Danske Bank A/S
Failure to establish adequate procedures for data deletion and retention across over 400 systems
Medhelp A/S
Health data breach exposing patient records due to inadequate security measures in telehealth platform
Municipality of Gladsaxe
Unlawful processing of special category data in automated citizen profiling system
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Denmark
Network and Information Security Directive (NIS2)
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".