New Danish Data Protection Law and GDPR Implementation

New Danish Data Protection Law and GDPR Implementation

The 2018 Danish Data Protection Act or the DDPA 2018 for short is a data privacy law that was recently passed in Denmark in 2018. As the country of Denmark is an EU member state, the DPPA 2018 was enacted for the purpose of implementing the provisions and guidelines of the General Data Protection Regulation or GDPR into Danish law. To this end, the DPPA 2018 and the EU’s GDPR law work in conjunction with one another to establish the legal grounds for the collection and processing of personal data in Denmark. What’s more, the law also empowers the Danish data protection authority, or the Datatilsynet for short to impose a variety of sanctions and punishments against individuals or organizations who fail to comply with the law.

What is the scope and application of the DDPA 2018?

In terms of the scope and application of the law, the personal scope of the law applies to all aspects of personal data that are collected and processed within Denmark, subject to certain exceptions. Alternatively, as it pertains to the territorial scope of the law, the DDPA is applicable if “the personal data being processed relates to a person located in Denmark, but is carried out by a data controller or processor outside the EU so long as the processing relates to the exchange or offering of goods or services or surveillance of the person, as the long the activities being surveilled takes place in Denmark.” Conversely, the material scope of the law covers “the processing of personal data, special categories of personal data, processing for a specific purpose or by automated means as well as anonymous data.”

What are the differences between the DDPA 2018 and the EU’s GDPR law?

As it pertains to the requirements of data controllers and processors under the law, as well as the rights of data subjects under the law, the provisions of the DDPA 2018 when compared with the EU’s GDPR law remain largely unchanged. For instance, the DDPA 2018 requires data controllers and processors operating within Denmark to adhere to the same data protection principles that are mandated under the EU’s GDPR law. However, there are some differences between the two pieces of legislation with respect to the legal grounds for processing. For instance, the provisions of the DDPA 2018 are also applicable to credit rating agencies that operate within Denmark.

Under the DDPA 2018, the following restrictions apply as it relates to the categories of personal data which can be processed by credit rating agencies in relation to credit rating:

  • Only data categories necessary for credit rating and evaluation of an individual’s financial standing can be processed;
  • Credit rating agencies cannot process special categories of personal data or information about criminal convictions or offenses;
  • Personal data that is more than five years old which may indicate that credit should not be granted and must not be processed unless it is assessed that the information is of crucial importance to the credit rating of the individual; and
  • Information about financial standing or the credit rating of individuals can only be communicated to third parties in writing, unless the data is aggregated and the information of the receiver’s name and address is stored by the credit rating agency for at least six months.

What are the rights of Danish citizens under the DDPA 2018?

Under the DDPA 2018, the rights of Danish citizens are the same as those that are provided to other citizens of EU member states under the EU’s GDPR law. These rights include:

  • The right to be informed.
  • The right to access.
  • The right to rectification.
  • The right to erasure.
  • The right to object or opt-out.
  • The right to data portability.
  • The right not to be subject to automated decision-making.
  • The right to restriction of processing, under certain circumstances.

In terms of the enforcement of the law, the DDPA is enforced by the Danish data protection authority or the Datatilsynet for short. However, Datatilsynet does not have the authority to directly impose fines against violators of the law, and can instead only issue fine notices. Moreover, these fine notices can only be issued after certain violations of the EU’s GDPR law have been established. With all of this being said, data controllers and processors who violate the DDPA 2018 are subject to a monetary penalty ranging from 2% of a company’s global turnover; or €10,000,000.00 ($11,291,250), whichever is higher, and 4% of a company’s global turnover, or €20,000,000.00 ($22,583,400), whichever is higher, as well as further punishments that can be imposed by Datatilsynet.

The 2018 Danish Data Protection Act or the DDPA 2018 for short is one of many European data privacy laws that was passed or amended in 2018, including the Dutch GDPR Implementation Act San Marino Law no. 171 of 21 December 2018. More specifically, as a member of the European Union, the DDPA 2018 effectively guaranteed the data privacy rights of Danish citizens, by ensuring that all provisions of the EU’s GDPR law were also implemented into Danish law. As such, the European Union continues to lead the international charge for ensuring data protection standards for citizens around the world.