LAW

Denmark implemented the EU Data Protection Directive 95/46/EC in June 2000 with the Act on Processing of Personal Data ("Act").

DEFINITION OF PERSONAL DATA

Any information relating to an identified or identifiable natural person (data subject).

DEFINITION OF SENSITIVE PERSONAL DATA

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or sex life.

NATIONAL DATA PROTECTION AUTHORITY

Datatilsynet ("DPA")

REGISTRATION

Unlike most EU Member States, Denmark does not require a general registration of controllers, processing activities or databases with personal information.

However, data processors established in Denmark who offer electronic processing services must, prior to the commencement of such processing operations, notify the DPA.

Besides this notification requirement, processing of personal data must be notified by the controller to the DPA if the processing includes sensitive or other purely private data. Such a registration should include the following information:

  • the name and address of the controller, his representative (if any) and the processor (if any);
  • the category of processing and its purpose;
  • a general description of the processing;
  • a description of the categories of data subjects and of the categories of data relating to them;
  • the recipients or categories of recipients to whom the data may be disclosed;
  • intended transfers of data to third countries;
  • a general description of the measures taken to ensure security of processing;
  • the date of the commencement of the processing; and
  • the date of deletion of the data.

DATA PROTECTION OFFICERS

There is no requirement for organisations to appoint a data protection officer.

COLLECTION AND PROCESSING

Data controllers may collect and process personal data when any of the following conditions are met:

  • the data subject has given his explicit consent; or
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject;
  • processing is necessary for the performance of a task carried out in the public interest;
  • processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the data is disclosed, and these interests are not overridden by the interests of the data subject.

Sensitive personal data (as detailed above) may be processed only if:

  • the data subject has given his explicit consent to the processing of such data;
  • processing is necessary to protect the vital interests of the data subject or of another person where the person concerned is physically or legally incapable of giving his consent;
  • the processing relates to data which has been made public by the data subject; or
  • the processing is necessary for the establishment, exercise or defence of legal claims.

Personal data about purely private matters, including data about criminal offences and serious social problems, may be processed only if:

  • the data subject has given his explicit consent to such disclosure;
  • disclosure takes place for the purpose of pursuing private or public interests which clearly override the interests of secrecy, including the interests of the person to whom the data relate;
  • disclosure is necessary for the performance of the activities of an authority or required for a decision to be made by that authority; or
  • disclosure is necessary for the performance of tasks for an official authority by a person or a company.

Furthermore, the data controller must provide the data subject with the necessary information to fulfil the duty of information, including information about the identity of the controller and the purposes of the processing for which the data is intended and any further information which is necessary having regard to the specific circumstances in which the personal data is collected and/or obtained.

TRANSFER

Data controllers may transfer personal data out of the European Economic Area ("EEA") (insecure third country) if any of the following conditions are met:

  • the data subject has given his explicit consent;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre contractual measures taken in response to the data subject's request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
  • the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject;
  • the transfer is made from a register which according to law or regulations is open to consultation either by the public in general or by any person who can demonstrate legitimate interests, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;
  • the transfer is necessary for the prevention, investigation and prosecution of criminal offences and the execution of sentences or the protection of persons charged, witnesses or other persons in criminal proceedings; or
  • the transfer is necessary to safeguard public security, the defence of the realm, or national security.

Furthermore, data controllers may transfer personal data out of the EEA, if the transfer is based on the Safe Harbor programme (to the USA) or the data exporter and the data importer has entered into standard contractual clauses approved by the EU Commission and these clauses have not been amended.

The DPA may authorise a transfer of personal data to an insecure third country where the controller adduces adequate safeguards with respect to the protection of the rights of the data subject.

SECURITY

Data controllers must implement appropriate technical and organisational security measures to protect data against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure, abuse or other processing in violation of the provisions laid down in the Act. The same applies to data processors.

BREACH NOTIFICATION

There is no mandatory requirement in the Act to report data security breaches or losses to the DPA. However, DPA practice stresses that affected data subjects normally should be informed about breaches.

ENFORCEMENT

The DPA, which consists of a Council and a Secretary, is responsible for the supervision of all processing operations covered by the Act. If the DPA becomes aware that a data controller is in breach of the Act, the DPA can state their legal opinion.

Furthermore, the DPA can impose fines and a person who violates the Act is liable to a prison sentence of up to four months.

In addition to this, a controller shall compensate for any damage caused by the processing of personal data in violation of the Act.

ELECTRONIC MARKETING

The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (e.g. an email address is likely to be "personal data" for the purposes of the Act). A company can process data concerning existing customers for marketing of the company's own products if the processing is necessary for the purposes of the legitimate interests pursued by the company and these interests are not overridden by the interests of the consumer. Besides that, processing of personal data for marketing purposes normally requires consent.

According to the Danish Marketing Practices Act, a trader must not approach anyone by means of electronic mail, an automated calling system or facsimile machine with a view to the sale of products, real property, other property, labour and services unless the party concerned has requested him to do so. If a trader that has received a customer's electronic contact details in connection with the sale of products or services, he may market his own similar products or services to that customer by electronic mail, provided that the customer has the option, free of charge and in an easy manner, of declining this both when giving his contact details to the trader and in the event of subsequent communications.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

Directive 2009/136/EC was implemented in the new Danish Act on Electronic Communications Services and Networks which came into force on 25 May 2011 in accordance with the implementation deadline in the Directive.

According to the "Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-user Terminal Equipment", which came into force on 14 December 2011, the use of cookies requires consent. The consent must be freely given and specific. However, this does not imply that consent must be obtained each time a cookie is used but a user must be given an option. Furthermore, the consent must be informed which implies that a user must receive information about the consequences of consenting. Finally, the consent must be an informed indication of the user's wishes. Normally, consent is obtained through tick-the-box but also the use of a homepage after having received the relevant information concerning cookies can constitute consent. Yet, consent by use of a homepage must be used with caution.

In addition to this, the information to the user must fulfil the below mentioned requirements: (i) The information must be clear and easy to understand; (ii) the purpose of the use of the cookies must be provided; (iii) the identity of the person or entity which is responsible for the use of the cookies must appear; (iv) the possibility of withdrawal of consent must be easily accessible and be described in the information; and (v) this information must be easily accessible for the user at all times.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com