I INTRODUCTION

A number of agencies are empowered to investigate corporate conduct. Among these are the Danish Public Prosecution Authority (encompassing the State Prosecutor for Serious Economic and International Crime and the Danish Money Laundering Secretariat), the Danish Financial Supervisory Authority, the Danish Data Protection Agency and the Danish Competition and Consumer Authority.

The Public Prosecution Authority is an authority that deals exclusively with cases concerning criminal investigation and prosecution. The primary responsibility for the authority is to decide on whether to pursue criminal prosecution and to appear before the courts in the criminal cases.

A special unit within the public prosecutor, the State Prosecutor for Serious Economic and International Crime (SEIC) investigates and prosecutes cases concerning particular economic crimes, that is, where the economic crime is of significance, part of organised criminal activity, based on extraordinary business measures or is otherwise of a qualifying character. Examples of cases dealt with by the SEIC are bribery and corruption cases and other closely related offences, competition law violations and money laundering. The SEIC is also responsible for handling international criminal cases, such as genocide, crimes against humanity and other serious criminal offences where the criminal act has been perpetrated abroad and the investigation and prosecution presupposes cooperation with foreign institutions and authorities. The SEIC has very broad investigative powers, and the authority takes a special position in Denmark due to its specialised powers.

The Money Laundering Secretariat is the Danish financial intelligence unit (FIU) and is a unit within the SEIC. The main responsibilities of the Secretariat are receiving, analysing or communicating notifications to businesses when there is a suspicion of money laundering. Certain businesses, for example, financial institutions, are subject to a number of inspection and reporting duties under the provisions of the Money Laundering Act in order to prevent money laundering. The Secretariat also receives notification of money laundering from public authorities. Upon receipt of a notification of potential money laundering the Secretariat determines whether to request that the police initiate further investigations in order to lodge an indictment. The police decide whether to make further investigations. The Money Laundering Secretariat can, when needed, assist the police in obtaining information from Interpol or other countries' FIUs. The Money Laundering Secretariat handles the ‘transit cases' with no involvement from other authorities. Transit cases are those where there are no personal or legal entity ties to Denmark.

The Financial Supervisory Authority (FSA) is an authority under the auspices of the Minister for Economic and Business Affairs. It is an authority that supervises financial businesses in Denmark. The primary task of the FSA is supervision of financial undertakings. The FSA also supervises the securities markets in Denmark and conducts regular inspections of the relevant financial institutions. The FSA can issue warnings, impose injunctions and in severe cases, is also empowered to revoke necessary business licences. If the FSA detects illegal activity, it will report the business to the SEIC for further investigations.

The Danish Data Protection Agency (DDPA) monitors businesses in order to ensure compliance with the Act on Processing of Personal Data. The DDPA can initiate its own investigations if the agency suspects a violation of the law. The agency also receives citizen complaints, and after receiving these, the DDPA can decide whether specific data-processing measures are in accordance with the regulations. The DDPA is also empowered to inspect private businesses (and public authorities) in order to make sure that the processing of data is carried out in accordance with the Act on Processing of Personal Data. The agency conducts inspections several times a year. If the DDPA discovers a violation of the Act on Processing of Personal Data, the authority is empowered to issue a ban on further data processing. In some cases, the DDPA reports the violation to the police, which then takes over the investigation.

The Danish Competition and Consumer Authority (DCCA) enforces the Danish Competition Act. It is an authority within the Ministry of Business and Growth of the Danish government. The DCCA handles the daily operations of the administration of the Competition Act on behalf of the Competition Council. Unlike most other enforcers in Europe and elsewhere, the DCCA cannot issue fines but must forward cases to the public prosecutor. In limited cases involving minor infringements the DCCA is authorised to make administrative determinations, such as dawn raids. Investigations may be triggered in different ways, but typically by reports or complaints from competitors and consumers. The DCCA may also carry out investigations on its own initiative, if it suspects that a certain company has violated the Competition Act. The DCCA regularly carries out dawn raids in Denmark. Investigation and prosecution of criminal cases must be undertaken by the SEIC as the DCCA does not have authority to investigate or prosecute criminal cases before the courts.

Different authorities are empowered with different investigatory tools. The SEIC has very broad investigation powers, and its powers regarding dawn raids are much broader than the powers of the DCCA; the SEIC may seize documents during dawn raids, but the DCCA is only allowed to take copies of the information it wants.

Political agendas and domestic priorities have no impact on the prosecutorial functions. The authorities act independently and without any political influence.

A business under investigation has no obligation to cooperate with the authorities and taking an adversarial stance is both a realistic possibility and common.

Criminal investigations are handled exclusively by the authorities, that is, business's internal investigations are not admissible in court. The authorities are obliged to remain neutral and objective in the course of their investigation and to share the information obtained through this investigation with their subject.

The Danish Criminal Code is the codification and the foundation of criminal law in Denmark. The Code is divided into a General Part of 97 sections and a Special Part of 208 sections. The main legal source of the rules of jurisdiction in Denmark in civil and commercial matters is the Danish Administration of Justice Act.

II CONDUCT

i Self-reporting

In Denmark, there is no general legal obligation to self-report. In determining whether to self-report, the seriousness of the offence and the leniency opportunities should be taken into account.

Cooperating with the authorities can benefit the companies that self-report. Cooperating may lead to a reduction in fines, and in some cases, the public authorities may even decide against commencing criminal charges.

Article 82 of the Criminal Code lists a number of mitigating circumstances for criminal conduct. These mitigating circumstances can lead to a reduction of the penalty upon conviction. The circumstances are primarily meant for individuals, but can also be relevant for a legal entity, for example, self-reporting or volunteering information on the illegal activities of third parties. It is at the discretion of the court to determine whether self-reporting or volunteering information about third parties should have an influence on the sentencing. Except in matters of cartel regulation, no written policies or guidelines are available as to when self-reporting may lead to benefits for businesses.

Under the Competition Act a member of a cartel may apply for impunity or leniency. Businesses that participate in a cartel can be punished by fines in excess of 20 million Danish kroner, although in some cases the fine may be lower due to mitigating circumstances. Executives and board members can be individually fined (usually several hundred thousand kroner) or sentenced to imprisonment for up to six years in very severe cases. Application for impunity is available to members of a cartel under the Competition Act, Section 23a. Impunity may be granted by the SEIC if the cartel member (applicant) is the first to report the cartel to the authorities, the applicant provides information that the authorities were not previous privy to, or the information provides grounds for investigative measures (inspection, dawn raid or police reporting) or grounds for establishing a violation of the Competition Act. The applicant must cooperate with the authorities throughout the investigation and the application must have ceased any participation in the cartel at the time of application and may not have forced any other business to participate in the cartel. If the applicant is not the first member of the cartel to self-report, the applicant may obtain a reduced fine under certain circumstances; that is, the information provided by the applicant regarding the cartel must add significant value for the authorities relative to the information already available, the applicant must cooperate with the authorities throughout the investigation, the applicant must have ceased any participation in the cartel at the time of application and may not have forced any other business to participate in the cartel. The second applicant in the cartel may obtain a 50 per cent reduction of the fine, the third applicant a 30 per cent reduction and the following a 20 per cent reduction. The prosecutor will inform the court of the applicants' participation and fulfilment of the requirements for leniency. Applications will be treated with discretion, but no guarantees of confidentiality can be issued. In cases where the cartel involves other EU Member States the authorities have an obligation to report the cartel to the EU Commission and provide information on the identity of the applicants for leniency. The DCCA is also obliged to publish information on judgments and fixed-penalty notices issued against cartel members.

ii Internal investigations

A business may conduct its own internal investigation at any time, but there are no legal requirements as to when and how the investigation must be conducted.

The extent of the internal investigation will vary and depend on the size of the business and the level of exposure. Witness interviews and scrutiny of documents are typical in internal investigations. Internal investigations are typically conducted by law firms (external counsel). The external counsel will have no subpoena powers or otherwise, but must rely on the cooperation of the company and its employees, that is, it must rely on the company providing access to the relevant documents and granting interviews with relevant witnesses. A waiver of privilege would be expected as part of the company's cooperation. It is not unusual for the employees being interviewed to be assisted by independent counsel.

The investigations should be carried out in accordance with the Data Protection Law and the Danish employment law. There is no legal obligation for the company to disclose the findings of the internal investigation to the authorities.

iii Whistle-blowers

Whistle-blowers are a hot topic in Denmark. Increasingly whistle-blower systems have become commonly applied by Danish businesses, as the systems allow the employees a safe place to share their knowledge. Whistle-blower systems are often seen as part of an effective compliance programme as a way the employees can either report an illegal activity within the company or seek guidance regarding potential cases of non-compliance.

Companies that have a whistle-blower system in place must ensure that it complies with the Danish data protection rules.

The Danish Data Protection Agency has provided a list of non-binding guidelines for reporting company whistle-blower systems.2 In accordance with these guidelines, businesses must notify DDPA of the whistle-blower system using a notification form provided by the DDPA.

The notification form must contain information regarding the company (in a group of companies), which is the controller for all processing of data in connection with the whistle-blower system, a general description of the whistle-blower system, that is, a brief description of what happens with data reported to the whistle-blower system from the time of reporting to the conclusion of the case, information on the categories of persons about whom data will be processed and the types of data that will be processed. As a general rule, it is not permitted under the DDPA to process other sensitive data than data on criminal offences. The DDPA is of the opinion that reporting may only take place in case of serious offences - of suspicion hereof - that can be of importance to the group or company as a whole, or that can be of significant importance to the life and well-being of individuals. This may include suspicion of serious economic crime, including bribery, fraud, forgery, etc.

The DDPA has taken the view that reporting can take place to the degree required by the Sarbanes Oxley Act, that is, for irregularities in the areas of accounting, internal auditing and suspicion of corruption and crime in the bank and finance sector. Other examples deemed suitable by the DDPA include cases of environmental contamination, serious breaches of work safety and serious circumstances involving an employee, for example, sexual abuse. However, less serious offences cannot be reported, such as cases of harassment, cooperative difficulties, incompetence, absence, violation of guidelines for, for example, attire, smoking or drinking, using e-mail or the internet, etc.

The notification form must also include a list of all companies, categories of external consultants etc. that will have access to a report to the whistle-blower system. The notification form must indicate whether the data is to be transferred to other countries outside the EU or EEA, a general description of the measures to be taken regarding processing security, the scheduled commencement of the data processing and the scheduled deletion of the data. The data processing (that is, the whistle-blower system) may not be commenced before obtaining authorisation from the DDPA.

It is important to note that there is no statutory protection for whistle-blowers. The authorities have not implemented any specific incentives programmes for whistle-blowers to come forward.

Depending on the specific circumstances the businesses may take lawful action (e.g., terminate employment) against employees reporting suspicion of illegal activities if this is done in a disloyal manner, that is, by involving the media, or in a manner that violates confidentiality obligations. If the business has fired an employee for acting as whistle-blower and the termination is unlawful the employee is entitled to damages but not to be reinstated in the employment.

Only a few Danish cases have dealt specifically with employees reporting illegal activities. In the 2005 Grevil case (reported in Ugeskrift for Retsvæsen 2006.65Ø), Frank Grevil, a former army intelligence officer, leaked classified information regarding the threat reports from Iraq originating from the Military Intelligence Service, FET, to a journalist from a Danish newspaper. Frank Grevil was dismissed, found guilty of disclosing confidential information and was sentenced to six months' imprisonment.

III ENFORCEMENT

i Corporate liability

Corporate liability for legal entities is available under Danish law.

Criminal liability of a legal entity is conditional upon a transgression having been committed within the establishment of the legal entity by the fault of an individual connected to the legal person or at the fault of the legal entity itself.

A legal entity can be prosecuted in a similar way to a physical person if the legal basis is present; it must be stipulated specifically in the law that the company is subject to criminal punishment if an offence is committed by the legal entity.

The relevant set of rules is found in the Criminal Code, Chapter 5, which states that companies and corporate bodies can be subject to criminal liability. Criminal liability must involve the commission of a criminal act or omission by one or more physical persons acting on behalf of the legal entity. It is not a requirement that the person in question is part of the management. The company can be liable for any intentional or negligent criminal act or omission by its employees, contractors and agents acting on its behalf if the act or omission is not abnormal in the context of its usual business, practices and procedures. Generally, it would not be advisable - nor is it normal practice - for the company and individuals to be represented by the same counsel. But it is normal practice for counsel to cooperate on a defence.

ii Penalties

A company may only be punished by a fine. Imprisonment is only a possibility for individuals. Imprisonment can generally only be imposed on the management, but under special circumstances subordinate employees can also be charged with the offence.

Plea bargains are not available under Danish law. But an individual or corporate entity can accept a fine based on a fixed-penalty notice from the prosecutor. The amount of the fine will be determined after a consideration of the gravity of the offence, the duration of the offence and the turnover of the company.

A company can also be subject to confiscation, which follows from Section 75 of the Criminal Code. Confiscation can be a possible penalty if the company has gained proceeds from a criminal act, and if the Danish Public Prosecution Authority decides on prosecution.

The range of potential sanctions do not vary based on which authority brings the action, but the level of fines may vary depending on the subject matter.

iii Compliance programmes

Over the last few years, there have been significant developments in establishing and practising compliance programmes in Denmark.

There is no regulation on compliance programmes nor any sentencing guidelines that take compliance programmes into account.

Compliance programmes primarily ensure that the business comply with the law, but the existence of a compliance programme also has some advantages in cases of non-compliance regarding the penalties. The existence of a compliance programme can serve as an argument against criminal charges or as an argument of mitigation of the penalty, for example, as a reduction of a corporate fine. However, this is only a possibility and it is at the discretion of the prosecutor and the courts to assess whether a compliance programme should be a mitigating factor. Generally, a compliance programme will not be a mitigating factor if senior management has been involved in the offence.

iv Prosecution of individuals

Under Danish law an employer has a right to decide whether an employment should be terminated. However, the exercise of the right has been limited during the last decades by statutes and by collective agreements, prescribing that a termination should be based on a fair reasoning. In this context, a fair reasoning means that the termination should either be reasonable according to the conditions of the company or the behaviour or conditions of the employee. Criminal charges against an individual would normally be sufficient for a lawful termination.

The company may coordinate with the employee's individual counsel and it may be advisable for the company to retain the employee until after the criminal investigation has been finalised or even until after a judgment has been rendered. The company will be able to cooperate with the investigation and retain the employee. The company can advance or pay the legal fees of the employee's counsel, but it may create complex tax issues.

IV INTERNATIONAL

i Extraterritorial jurisdiction

Danish law applies if a criminal offence is committed outside of Denmark if the suspect is either a Danish citizen or a permanent resident, and if the offence is recognised as a criminal act in Denmark.

The Criminal Code specifies that Danish courts have jurisdiction in offences committed outside of Denmark, if the offence is committed either by a Danish citizen or a permanent resident in Denmark, or if the citizen who committed the offence becomes a Danish citizen or a permanent resident in Denmark after having committed the offence.

ii International cooperation

The Nordic countries - Denmark, Finland, Iceland, Norway and Sweden - cooperate closely regarding criminal investigations and crime prevention. On the basis of cross‐national influences between historically interrelated and culturally relatively similar countries, this cooperation is successful.

Denmark has ratified a number of conventions to address criminal activity. Among these are the Schengen Agreement 1995, the European Conventions on Mutual Assistance in Criminal Matters 1959 and 2000, and a further number of UN and EU conventions. Furthermore, Denmark is an active member of several international networks. Among these are Europol, OECD and Interpol.

Extradition is possible under the auspices of the European arrest warrant and pursuant to individually negotiated treaties with countries outside the EU. Extradition is not common but it does occur.

iii Local law considerations

The Danish authorities are very reluctant to recognise investigatory measures foreign to Danish law. The authorities will recognise foreign criminal investigations that comply with Danish law and particularly if the Danish authorities are involved in the investigation.

V YEAR IN REVIEW

The General Data Protection Regulation (GDPR) is a new regulation within the EU intended to strengthen and unify data protection. When effected, it will replace the old data protection directive from 1995.

The GDPR entered into force on 5 May 2016 and Denmark and other EU Member States have to transpose it into their national laws by 6 May 2018.

The primary objectives of the GDPR are to give citizens and residents control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. One of the more extensive provisions of the new regulation is that businesses must appoint a data protection officer (DPO). A DPO is a person in charge of supervising and ensuring the organisations' compliance with the GDPR.

In general, the new regulation aggravates the standards of administration of personal data and imposes a considerably higher level of fines; a serious violation of the regulation can lead to a fine as high as €20 million or 4 per cent of global turnover.

Despite the increased effort, the Financial Action Task Force (FATF) does not consider Denmark's effort in combating money laundering as sufficient. Following its inspection in November 2016, FATF criticised the Danish authorities' risk assessment and their lack of coordination. Businesses may, therefore, expect further measures of the authorities regarding money laundering. At the end of 2016, a bill was introduced, in order to implement the EU Fourth Anti-Money Laundering directive, and thereby implement certain changes to the current regulation on money laundering. The bill seeks to implement the recommendations by FATF. The bill will, inter alia, extend the scope of application, amend certain definitions, obligate a business to continuously assess its risk for being involved in money laundering, and entail more thorough customer assessment procedures and changes to the notification procedures. The bill was passed on 2 June 2017 and will enter into force on 26 June 2017.

In January 2017 the Danish High Court imposed a record-breaking fine for money laundering (the Eastern High Court judgment on 26 January 2017 in case No. S-317-16). The fine was 111 million kroner for the laundering of 223 million kroner through an exchange bureau. Two individuals (managers) were sentenced to six years of prison each. The judgment put an end to both the managers and the exchange bureau's activities. The case is the first of its kind in Denmark, but it coincides with the fact that the Danish authorities have increased their effort to combat money laundering.

In March 2017 the Danish High Court imposed a record-breaking fine of 13 million kroner for market abuse on a company (the Eastern High Court judgment on 23 March 2017 in case No. S-2410-15). The former CEO and chairman of the board were both sentenced to imprisonment of 18 months and their proceeds from divestments of shares in the company (800,000 and 9 million kroner respectively) were confiscated. The case concerned the legality of the purchases of treasury shares through a longer period (between November 2007 and October 2008) in the amount of approximately 100 million kroner. The company's traders purchased the shares at the stock exchange with the purpose of using the shares as payment in connection with the fulfilment of agreements with third parties and in order to fulfil options programmes with senior staff, including the CEO and chairman of the board.

The High Court found that the company by its actions had ensured that the stock price was artificially high compared to the market value and that the activities gave the market wrongful or misleading signals regarding the stock price. The company's traders bought up so many shares that the company obtained a dominant position in the market or the company through its traders placed orders for example, in closed auctions at the best price, which was significantly above the latest updated price at the stock exchange.

The case is significant due to the sanctions imposed and because the prosecutor in previous years has failed to obtain convictions in cases involving market abuse.

VI CONCLUSIONS AND OUTLOOK

Implementation of the GDPR has received significant attention and this trend will most likely continue.

The bill implementing the EU Fourth Anti-Money Laundering Directive will also receive attention and businesses will have to implement new procedures on the assessment of their risk in participating in money laundering.

Generally, we expect that cross-border investigations will be prioritised by the authorities and that the necessary resources will be allocated to the authorities to deal with the complex issues and to cooperate with foreign authorities.


1 Jacob Møller Dirksen is a partner at Horten Law Firm.

2 www.datatilsynet.dk/english/whistle-blower-systems/whistle-blower-guidelines.