Similar to other countries in Europe, Denmark has passed legislation designed to supplement the requirements of the EU General Data Protection Regulation (GDPR),2 which came into force on 25 May 2018. In Denmark the main regulation concerning processing of personal data is the Data Protection Act,3 which came into force on 23 May 2018.
In addition to the rules of the GDPR, the Data Protection Act and national practice implements certain derogations concerning the processing on personal data, especially in respect of processing of personal data within the employment sector. Furthermore, the national legislation introduces a fourth type of personal data in form of 'confidential' personal data, which may include private, social or economic data concerning the data subject.
It is a well-known fact that few Danish companies worried about data protection compliance or spent significant resources on compliance prior to the entry into force of the GDPR because the fines for non-compliance were low and there was a general lack of awareness and interest in the subject by the public. This was despite the implementation of the EU directive from 19954 and the fact that the principal of confidentiality in respect of personal data is a constitutional right.
However, because of the risk of major penalties and commercial risks, such as lack of trust from business partners and other stakeholders, bad publicity in general and loss of goodwill due to personal infringements, many companies invested heavily in compliance projects and programmes in order to be 'GDPR-compliant' before 25 May 2018. Some have even compared the widespread lack of preparedness to the frenzy prior to Y2K at the turn of the millennium.
The ePrivacy Regulation (ePR) is still subject to negotiations in Brussels and will likely be applicable in 2020.
The following chapter provides a pragmatic overview of the current legal situation in Denmark in respect of the national requirements following the GDPR.
II THE YEAR IN REVIEW
The Danish Act on Processing Personal Data that implemented Directive 95/46 EC came into force in 2002. But despite the fact that the Danish data protection regulation is more than 15 years old, not much attention was paid to data protection in Denmark until the GDPR was passed in 2016. The term 'data protection' was basically unheard of in the general Danish population and in most companies before 2017–2018.
In May 2018, the Danish Chamber of Commerce published an analysis on companies' GDPR compliance costs up to 25 May 2018, which showed GDPR-related costs for the Danish business community of 8 billion kroner.5 Despite these high costs, most companies have still not completed their basic GDPR compliance projects and many still have not even started their compliance work, even though more than a year has passed since the GDPR came into full force.
The entry into force of the GDPR has thus been the dominant topic over the past year in terms of compliance, and one thing is certain – the term 'data protection' is no longer unknown to private companies, public authorities or the Danish population in general.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The rules governing processing of personal data in Denmark are primarily set forth in the GDPR and the Data Protection Act.
In addition, any rules governing processing of personal data in other legislation (lex specialis) shall take precedence over the rules laid down in the Data Protection Act (collectively the Data Protection legislation).6
In line with the GDPR, the Data Protection legislation applies to the processing of personal data as part of the activities carried out on behalf of a controller or processor established in Denmark, regardless of whether the processing takes place in the EU.
The DPA has published several hands-on guidelines describing how companies must adhere to the Data Protection legislation.7 The guidelines are not legally binding but they are generally taken very seriously in the public and private sector given the DPA's role as primary regulator and enforcer of the data protection rules in practice.
In connection with personal data set forth in Article 6 of the GDPR, the Data Protection legislation distinguishes between 'regular data' and 'confidential data', which is not explicitly mentioned in the GDPR.
Confidential information is personal data that due to its nature and the context may require 'special protection' as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such personal data may cause greater physical, material or non-material damage of the data subject than regular personal data. Depending on the circumstances, personal data concerning income and wealth, conditions of employment or internal family relationships may be deemed confidential personal data. The Danish civil registration number (CPR number) is also deemed to be confidential personal data.
Consequently, a controller or processor must take any such precautions needed to safeguard confidential data in accordance with Article 32 of the GDPR.
In addition, confidential personal data will also often be subject to special rules in other regulation as described above.
ii General obligations for data handlers
Controllers are not obligated to register with the DPA in relation to their processing of personal data.
The Data Protection legislation sets forth the fundamental requirements applicable to all processing of personal data. In particular, the Data Protection Act requires that personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.
To comply with the obligation to notify the data subject in accordance with Articles 12–14 of the GDPR, the controller must take active steps to provide the information. Consequently, it is not sufficient that the relevant information is available on a website or similar, which the data subject is required to find by himself. The form of notification shall reflect the means of collecting personal data. The controller must notify the data subject in writing, unless otherwise accepted by the data subject. Furthermore, the notification shall be provided electronically, if appropriate, for example if the personal data is collected via an electronic form.
If a controller receives unsolicited personal data from a data subject, the controller must notify the data subject in accordance with Article 13 of the GDPR as soon as possible, but, no later than 10 days after receipt.8
In accordance with DPA guidelines, a controller must use encryption when transmitting confidential and sensitive personal data by email via the internet. There are usually two possible approaches to achieve this; either encryption is applied to the transport of the data packets containing the email when they are sent over the network (known as TLS encryption), or the content of the email is encrypted by the sender before it is sent over the network. The choice of encryption depends on the characteristics of the personal data to be transmitted and the volume thereof.
iii Data subject rights
The right of access in relation to Article 15 of the GDPR implies that the data subject has the right to receive information concerning the processing of personal data by a controller. The right of access is not limited and includes all information about the processing in IT systems, TV surveillance images, logs, notes, HR information, emails, etc.
The controller may request the data subject to clarify the request for access. However, as a rule the controller may not refuse to comply with the request for access if the data subject refuses to clarify the request.
The controller may derogate from the right of access (and the obligation to notify the data subject of matters concerning Article 13(1)–(3), Article 14(1)–(4) of the GDPR, if the data subject's interest in this information is found to be superseded by essential considerations of public or private interests, including the consideration for the data subject himself, e.g. if a data controller is processing personal data in a whistle-blower inquiry and keeping confidential such personal data is necessary for investigation purposes.
In a recent case, the DPA did not find it contrary to the rules regarding data subjects' right of access to deny access to video surveillance from a public metro station since it was necessary for the security of the metro.9 In another recent case, the DPA publicly criticised a controller who failed to grant a request for access to TV surveillance showing a father and son in a carwash arguing that it was non-excusable that the controller could not redact other individuals from the surveillance material.10 Due to the recent cases, the assumption is that exception from right of access has a relatively narrow scope.
In accordance with Article 16 of the GDPR, a controller must correct any inaccurate personal data upon request from a data subject.
However, the situation may arise where a controller does not agree with the data subject that the personal data is inaccurate, for example in a dispute concerning the accuracy of note taking from an HR and employee meeting. The controller is not obliged to correct personal data if the factual belief of the controller is that the personal data processed is accurate.
In such cases, the controller must ensure that a note is made on the disputed information indicating that the data subject does not agree with the accuracy of the personal data, and what the data subject considers to be accurate.
In accordance with Article 17 of the GDPR, a controller must erase personal data at the request of a data subject if the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
In a recent case regarding deletion of photos of an intimate nature, the DPA did not find it contrary to the rules not to withdraw and delete published images on the internet, as the DPA assumed that the processing was based on a contract between the parties and not on consent.11
In accordance with Article 20 of the GDPR, a data subject has the right to receive and transfer personal data from one controller to another when (1) the processing is done 'automatically' and the processing is based on the consent of the data subject or is required to fulfil a contract and (2) the personal data is provided by the data subject itself.
The term 'provided' shall be interpreted broadly and shall include personal data provided directly by the data subject or collected or generated by the controller, for example, through electronic means. Consequently, personal data a data subject is entitled to receive under Article 20 of the GDPR may include data concerning purchasing behaviour, location data and other observed behaviour. Thus, personal data may include data collected during employment.
The data subject is, however, not entitled to receive personal data that is a result of related processing by a controller, such as the results of processing personal data with an algorithm.
iv Specific regulatory areas
Processing of personal data covered by Article 6(1) and Article 9(1) of the GDPR in an employment context may take place on the basis of consent from the data subject in accordance with Article 7 of the GDPR.12 However, an employer is – as a rule – allowed to process an employee's personal data to a usual and reasonable extent in connection with the employer's HR administration without obtaining employee consent or DPA authorisation.
Such processing must be justified for operational reasons and may not be offensive to the employee. Furthermore, the controller must inform the employee of the processing no later than six weeks prior to initiation.
In a recent case concerning processing of biometric data (fingerprints), the DPA concluded that the prohibition of processing of personal data under Article 9(1) of the GDPR cannot be waived by reference to Article 9(2)(f) (legal requirements) when processing is carried out as part of the control of an employee's working hours.
The DPA also considered whether processing could be based on employee consent.
Despite this being the general rule, the DPA considered that employee consent to an employer in such matter cannot be considered voluntary and thus cannot constitute a valid basis for processing of biometric data.
When an employee has resigned, his or her email account must be kept active for as short a period as possible. This period is determined by the position and function of the resigned employee and cannot exceed 12 months. In connection with the resignation, an auto-reply must be sent from the email account with notice of the employee's resignation and any other relevant information. The active email account may only be used for receiving emails and forwarding relevant emails internally within the controller's organisation.
If a controller wants to record conversations, for example for quality assurance or for educational purposes, the controller shall – as a rule – obtain consent from the individual involved before the conversation is recorded. In a recent case concerning the use of telephone recordings for training purposes, the DPA issued a temporary order to ban the processing of personal data for internal use, as such processing activities are not within the legitimate interest of the controller.13 In one case (pre-GDPR), the DPA has specifically stated that storing of telephone recordings from securities trading could take place without consent for documentation reasons. Due to the recent cases from the DPA, the assumption is that the exception has a relatively narrow scope.
Processing of a child's personal data based on consent in connection with the offering of information society services is lawful provided that the child is no younger than 13.
Processing of personal data in connection with healthcare and medical privacy is generally governed by the Danish Health Act.14 Information to be provided upon request under Articles 15–22 of the GDPR in connection to healthcare and medical privacy must be provided to the data subject without undue delay and in any event within seven days from receipt of the request.
Television surveillance is governed by rules laid down in the Danish TV Surveillance Act.15 The term 'television surveillance' means continuous or regularly repeated monitoring of persons by means of a remote or automatic camera. It is irrelevant whether image capture occurs or whether the images are simply displayed on a TV screen or the like.
In particular, a controller must not carry out television surveillance of areas with ordinary traffic.
However, the ban on television surveillance of areas with ordinary traffic does not apply everywhere because of security and crime prevention considerations. The television surveillance prohibition does not for example apply to petrol stations, banks, casinos, hotels and restaurants, shops, etc. Furthermore, television surveillance without image recording of entrances and facades is allowed.
The rules of the Data Protection legislation apply in addition to the TV Surveillance Act.
In addition to the rules on notifying the data subject in accordance with Articles 12–15 of the GDPR, the rule is that the controller conducting television surveillance must clearly indicate that surveillance activities take place by signage or similar.
Recordings containing personal data originating from television surveillance for crime prevention purposes must generally be deleted 30 days after recording.
Together with the general rules of the Data Protection legislation, the rules of the Danish Marketing Act limit the processing of personal data in connection with direct marketing.16 Direct marketing means when personal data is used to make direct contact with the data subject, for example via email, SMS or a letter.
In particular, a controller may not contact the data subject by use of electronic means for direct marketing purposes unless such processing is based on the consent of the data subject.
A data subject has the right to object to the processing of personal data for direct marketing purposes. If the data subject makes such an objection, the personal data may no longer be used for this purpose. This also applies if a controller performs profiling for marketing purposes.
Irrespective of whether the controller has received an objection from the data subject as described above, it must ensure that the data subject has refused to receive inquiries for marketing purposes. In practice, this is done by verifying whether the registered person appears in the Danish civil registration register (CPR).
Furthermore, a controller is not entitled to disclose or process personal data of a data subject without express consent.
This prohibition does not apply in the case of 'general customer information', which is the basis of categorisation into customer categories, and the interest of the data subject does not exceed the interest of the trader. In this case, the controller must make sure that the consumer has not made inquiries for marketing purposes via the CPR. General customer information does not include detailed information on the data subject's consumption habits, such as information on the data subject's purchase of a car on credit or what goods the data subject has purchased.
v Technological innovation
Controllers who make use of big data, the 'internet of things' (IoT), artificial intelligence (AI), facial and body recognition as well as other 'intelligent products' for processing means must assess whether personal data is involved – and, if so, which personal data – for the purposes in question.
Data that may seem innocent at first glance, for example, daily consumption may prove to be personal data, maybe even confidential or sensitive personal data, because the collected data might reveal health-related or private matters.
Consequently, personal data must be classified according to its sensitivity based on the damages and risks from the data subject's perspective in accordance with the GDPR.
The lack of continuity in the solution may result in a personal data threat, for example if a critical healthcare system or surveillance system loses vital personal data or if such data is temporarily unavailable.
Thus, controllers must ensure that the intelligent products can be continuously updated as errors are detected in the software. Therefore, controllers of intelligent products must be aware of the extent to which they rely on external suppliers and require a high security level from them.
In addition to the security and reliability concerns of new IT solutions, the issue regarding ownership and access to personal data developed entirely by automatic algorithms and systems (i.e., AI software) is evident.
Today's AI solutions consist of a series of algorithms that aim to generate an output based on the data it receives. As the amount of data increases, the AI software becomes 'wiser'. Eventually, the AI software can predict accurate output in other similar matters without the use of real data or facts.
In a personal data context, it raises the question 'When is data personal data?', as the data used might not originate from the data subject but from AI software based on its 'experience' gained over time. Similarly, another question arises as to whether this data is accurate enough for the controller to use the personal data in another context, such as for marketing purposes or preventative security solutions.
The GDPR does not provide an answer to these questions, and the DPA is yet to comment on them.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
International data transfer is subject to the provisions in the GDPR and as a EU Member State, Denmark is part of the EU–US Privacy Shield.
There are no other restrictions related to international transfer of personal data in the European Economic Area (EEA)17 other than the restrictions related to national transfers of personal data in the GDPR or special national legislation. According to the GDPR, any transfer of personal data to a third country or international organisations may only take place under specific circumstances and if the conditions in the GDPR, Chapter V, are complied with by the involved controller and the processor. The basic circumstances and conditions are outlined in the following.
According to the GDPR, international transfer of personal data to a third country or international organisation may take place without any specific authorisation, where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
In the time of writing, the European Commission has recognised the following countries as providing adequate protection: Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the United States (limited to the Privacy Shield framework).18
In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organisation, if the controller or processor has provided appropriate safeguards that enforceable data subject rights and effective remedies are available.
In relation to international data transfers between private companies or organisations it is common that appropriate safeguards are provided by standard contractual clauses or binding corporate rules. Binding corporate rules only include international data transfers between group companies, and application of the rules requires that the competent supervisory authority (DPA) approves the rules. Furthermore, the work related to adopting binding corporate rules is extensive and hence exclusively recommended for large international groups. As opposed to binding corporate rules, standard contractual clauses require no approval from the DPA and may be used to transfer personal data between group companies as well as between external companies.
Furthermore, the standard contractual clauses may be included in other contractual material, such as data-processing agreements or trade agreements provided that no changes are made to the clauses. There are three types of standard contractual clauses, all of which are available on the European Commission's website.19
Appropriate safeguards may also be provided between private parties by an approved code of conduct or an approved certification mechanism, both together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards. Such certifications and codes of conducts will probably be important contributions to more transparent access to conduct international data transfers. However, at the time of writing neither codes of conduct nor certifications have been approved in Denmark.
Finally, appropriate safeguards may be provided between private parties by ad hoc contractual clauses between the controller or processor in Denmark and the controller or processor in the third country, subject to DPA approval.
In the absence of an adequacy decision or appropriate safeguards, international transfers of personal data to third countries are restricted to very limited circumstances, including:
- if the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks (except if the activities are carried out by public authorities in the exercise of their public powers);
- if the transfer is necessary for the performance of a contract between the controller and the data subject or the implementation of pre-contractual measures taken at the data subjects requests (except if the activities are carried out by public authorities in the exercise of their public powers);
- if the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (except if the activities are carried out by public authorities in the exercise of their public powers);
- if the transfer is necessary for important reasons of public interests; or
- if the transfer is necessary for the establishment, exercise or defence of legal claims.
Furthermore, the transfer in question may only take place under the following circumstances:
- if the transfer is not repetitive;
- if the transfer only concerns a limited number of data subjects;
- if the transfer is necessary for the purpose of compelling legitimate interests pursued by the controller that are not overridden by the interests or rights of the data subject;
- if the controller has assessed all the circumstances surrounding the transfer;
- if the controller has informed the DPA of the transfer;
- if the controller has informed the data subject of the transfer and on the compelling legitimate interests pursued (in addition to providing the information referred to in the GDPR, Articles 13 and 14); and
- if the controller or processor reliable for the data transfer has documented the above assessments in the records referred to in GDPR Article 30.
V COMPANY POLICIES AND PRACTICES
To be compliant with the Data Protection legislation, it is essential to know (1) which personal data your company is processing; (2) for how long; (3) why; (4) where the personal data is processed as well as (5) recipients of personal data provided by your company.
The most common measures to obtain essential knowledge of the company's processing activities and to document the company's compliance level are performing a dataflow analysis on a regular basis (e.g., once a year) to keep track of any changing processing activities and preparing a gap analysis indicating any compliance gaps.
It is important to note that GDPR compliance is predominantly based on a basic principle of accountability and the company's individual risk assessments, which means that several measures necessary for GDPR compliance in practice do not follow directly from the GDPR, for example dataflow mapping or ensuring that employees processing personal data have sufficient knowledge of applicable rules and restrictions for processing personal data.
The range of policies and practices required to comply with the GDPR will therefore vary depending on the company's processing activities. The following represents the minimum statutory and non-statutory procedures and documentation regarding private companies' most common general processing activities relating to employee and private customer personal data.
The minimal recommended documentation and procedures regarding all processing activities are as follows:
- documented overview of personal data processed, such as dataflow mapping and gap analysis;
- statutory records of processing activities (Article 30 of the GDPR);
- education of employees, including for example internal guidelines outlining the rules and restrictions of processing personal data in general and regarding the company's specific processing activities (e.g., the use of emails and access rights in IT systems), the company's security measures, how and when to respond to data subject rights requests, and how to identify data breaches etc.; e-learning or other relevant education regarding the processing of personal data; and internal GDPR awareness campaigns etc.;
- documented assessment of whether or not the company is obliged to designate a data protection officer, if it is questionable whether or not the company is obliged to according to Article 37 of the GDPR;
- statutory private impact assessments regarding high-risk processing activities (Articles 35–36 of the GDPR);
- internal IT and security policy outlining the rules and restrictions of the company's security measures, for example, regarding the use of mobile devices, computers, physical access to buildings or offices, electronic access to IT systems, back-ups, firewalls etc.;
- internal procedures to assess, document and report data breaches. The controller is obligated to register all data breaches internally notwithstanding the company's potential obligation to notify the supervisory authority competent in accordance with Article 33 of the GDPR or communicate the data breach to the data subject in accordance with Article 34 of the GDPR;
- procedures for the erasure of personal data and retention schedules outlining the retention periods for all personal data processed by the controller or processor. There are few rules and guidelines on specific retention periods in Denmark, and most retention periods are set out by the controller's or processor's legitimate purposes to retain the data based on the Danish Limitation Act; Danish legislation on bookkeeping, accounting and tax as well as on DPA case law. Furthermore, the period of limitation for infringement of the GDPR and the Data Protection Act or rules issued in pursuance hereof is five years according to Article 41(7) of the Data Protection Act. The recommended retention periods regarding the most typical processing activities regarding employee and private costumer personal data are set out below; and
- control procedures to ensure the ongoing compliance level, including for example sampling in relation to internal policy compliance and erasure of personal data in accordance with the outlined retention periods, supervision of data processors, controlling and updating the statutory records of processing activities, performing a dataflow analysis on a regular basis, etc.
In addition to the minimum documentation and procedures listed above, the below documentation and procedures are recommended regarding the processing of personal data relating to applicants, present and former employees:
- procedures for collecting applicant consent for retaining application material for a specific period after the end of recruitment for future relevant vacancies. Retention of the application post-recruitment requires consent from the applicant, except if the purpose for further processing is the defence of a legal claim;
- procedures for erasure of application material after the end of the outlined retention period, which is most commonly a period of six to 12 months from the end of recruitment or time of receipt of unsolicited applications;
- internal guidelines and procedures regarding surveillance, for example, GPS tracking, video monitoring, website logging, mobile device tracking etc.;
- employee consent to process photographs or videos of employees at the company website, social media relating to employees' contact information at the company website and to marketing material, posts, brochures etc.;
- procedures for closing (and erasing) employee email accounts as soon as possible after the end of employment as discussed in Section III.iv; and
- procedures for erasure of the employee's personal file after expiry of the outlined retention period, typically five years after the end of employment based on DPA case law and the limitation period of five years as set out in the Danish Limitation Act regarding claims arising from an employment relationship.
In addition to the minimum documentation and procedures listed above, the following documentation and procedures are recommended regarding the processing of personal data relating to private costumers:
- procedures for collecting consent to approach anyone by means of electronic mail, an automated calling system or fax for the purpose of direct marketing21 and consent to approach consumers by telephone for the purpose of direct marketing;22
- internal guidelines and procedures for collecting and processing personal data in CRM systems;
- procedures and company rules on processing personal data in relation to digital marketing tools, the use of social media etc. (e.g., in relation to Google Analytics, Facebook competitions or inquiries via LinkedIn), especially outlining the rules of international transfer of personal data, the rules for collection consent to publish personal data and the rules in the Danish Marketing Act; and
- procedures on how to give customers the statutory information according to Articles 13–14 of the GDPR if customer calls are recorded (including recording for educational purposes) as discussed in Section III.iv.
VI DISCOVERY AND DISCLOSURE
Denmark has no general discovery or disclosure scheme in relation to civil litigation corresponding to the rules in countries such as the USA and the UK and it is generally left to each party to decide which information they are willing to provide/introduce into evidence. By operation of the GDPR data subjects now have wider access to their personal data than ever before.
Under the jurisdiction of the GDPR, disclosure of personal data is basically a processing activity equal to all other processing activities. Disclosure of personal data therefore requires a legitimate purpose according to Article 5 the GDPR, and legal grounds according to Article 6 of the GDPR (ordinary personal data), Article 9 of the GDPR (special categories of personal data), the Article 8 of Data Protection Act (personal data about criminal offences) or Article 11 of the Data Protection Act (national identification numbers). The Data Protection legislation equally applies to private companies and public authorities; however, in practice, public authorities' legal basis for processing personal data has a wider scope in special legislation than that of private companies.
If the Danish government or the Danish civil courts request disclosure of personal data in relation to a specific investigation or case, the controller will in practice in most cases have legal grounds for disclosing the data to the government or the civil court if special legislation authorises the government or the civil court to require the disclosure of the personal data in question (e.g., Sections 298(1) and 299(1) of the Danish Administration of Justice Act23 according to which the court may order disclosure of documents relating to the matters in question). If the Danish government or the Danish civil courts do not have legal grounds to request disclosure of the personal data, the controller must have other legal grounds for disclosing the personal data in the Data Protection legislation. The controller may, for example, disclose information regarding national identification numbers 'if the disclosure is a natural element of the ordinary operation of enterprises etc. of the type in question and the disclosure is of decisive importance for unique identification of the data subject or the disclosure is demanded by a public authority' according to the Data Protection Act, Article 11(3). This legal basis may for example be used by real estate agents and lawyers in relation to their disclosure of the parties' national identification numbers to the Danish registry when applying for registration of documents regarding property transactions.
The processor may also disclose personal data about criminal offences 'if the disclosure takes place to safeguard private or public interests which clearly override the interests of secrecy, including the interests of the person to whom the data relates' according to Article 8(2) of the Data Protection Act. This legal basis may, for example, be used by an employer in relation to its disclosure of personal data about an employee's criminal offence to the police as part of an investigation regarding the employee.
In relation to disclosure of requests or demands from foreign prosecutors, courts or governments, the above-mentioned GDPR rules on international transfer of personal data also apply if a foreign government requests the disclosure of personal data stored under the jurisdiction of the GDPR.
Especially with regards to the US government disclosure requests to US-based organisations storing personal data under the jurisdiction of the GDPR or the former Directive on the protection of personal data,24 the legal situation may cause major conflicts for US-based organisations obligated to disclose the data in question under US law and prohibited from disclosing the data in question under European law. After the enforcement of the US CLOUD Act,25 which essentially provides that the obligation for organisations under the US jurisdiction to comply with US law enforcement agencies' search warrant to gain access to data regardless of whether data in question is located within or outside the United States, the legal state regarding transfer of personal data from EU to the United States is still uncertain although the US CLOUD Act to some extent tries to deal with the above mentioned conflicts, for example, by stating that any disclosure of data must adhere to local law.
The leading case in question between the New York Prosecution Agency and Microsoft regarded a legal demand for Microsoft to disclose data located on servers in Ireland, which Microsoft refused, because the disclosure would constitute an infringement of the Irish data protection regulation. The case was dismissed by the US Supreme Court after the enforcement of the CLOUD Act, but though dismissed the dispute is still not settled and it is expected that a new case between the parties will be settled according to the CLOUD Act. If the US government succeeds in the new case, controllers under the jurisdiction of the GDPR cannot be certain that US-based data processors (such as Microsoft or Apple) can actually comply with the rules of international transfer of personal data and disclosure in the GDPR, because they may be forced to disclose personal data regarding European citizens to the US government regardless of the rules in the GDPR or – as far as Denmark is concerned – the Data Protection Act.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
Based on the Data Protection legislation, the DPA is essentially the only enforcement agency with regards to data protection and privacy in Denmark with one minor exception (according to the Danish Act on Data Protection regarding supply of public electronic communications services,26 the Danish Business Authority is the primary enforcement agency when it comes to security issues and security breaches in the telecommunications and internet sector).
According to the Data Protection Act, the DPA has several investigatory powers. The DPA may, for example, request access to any information relevant for its activities, including for the decision of whether a particular matter falls within the provisions of the Data Protection legislation. Furthermore, DPA staff must at any time – against satisfactory proof of identity but without a court order – be given access to all premises from where a processing activity is carried out, including any data processing equipment. If required, the police will help to secure access. The DPA therefore has the authority to audit private companies and public authorities – announced as well as unannounced – and conduct investigations of the controller's or processor's adherence to the Data Protection legislation.
Before the GDPR came into force, the DPA also had investigatory powers, including audits, but these powers was utilised to a much lesser extent than today. In 2017, the DPA held 73 audits and in 2018, where the GDPR came into force, the DPA held 329 audits.27 Both numbers include planned written and physical audits and raids. After the GDPR came into force, the DPA's audits have increased substantially, and the DPA has now announced a number of planned written and physical audits regarding different business areas and different data protection subjects twice a year. For example, the DPA plans to audit two law firms, one accountancy firm and one union regarding the encryption of emails, and three public authorities and three private companies regarding compliance with the data subject access rights.28 Furthermore, the DPA is planning a number of audits based on the DPA's own initiative, complaints etc., but it seems that such audits also are notified to the controller or processor being audited prior to the audit. The DPA has not published the number of actual raids or unannounced audits after the GDPR came into force, but it seems to be quite few if any at all.
According to Article 58 of the GDPR, the DPA also has a number of corrective and sanctioning powers, including the power to issue warnings about intended processing operations likely to infringe the Data Protection legislation; to issue reprimands where processing activities have infringed the Data Protection legislation; to order processing operations brought into compliance with the GDPR and to impose temporary or definitive limitations including bans on processing activities.
The Danish legal system does not provide for administrative fines, which means that the processing activity infringing the Data Protection legislation is reported to the police by the DPA with an indicated fine, after which the prosecution will build a case against the defendant. The procedure is subject to the general rules of criminal procedure set out in the Danish Administration of Justice Act, which governs all aspects of civil and criminal proceedings. In Denmark, any fine for infringement of the Data Protection legislation is therefore imposed by the courts of Denmark.
Private companies and persons infringement of the GDPR (and the Data Protection Act) is subject to fines up to €10 million or in the case of an undertaking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, regarding among other things infringement of the provisions regarding children's consent in relation to information society services (GDPR, Article 8), Data protection by design and by default (GDPR Article 25) and codes of conduct and certification (GDPR, Articles 41–43).
Private companies and persons infringement of the GDPR (and the Data Protection Act) is subject to fines up to €20 million or in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, regarding among others infringement of the provisions regarding the basic principles and legal grounds (GDPR Articles 5–7 and 9), data subject rights (GDPR, Articles 12–22), international transfer of personal data (GDPR, Articles 44–49) and the Data Protection Agency's corrective orders (GDPR, Article 58).
Any infringement of the Data Protection legislation by Danish public authorities and institutions is subject to a fine of up to 4 per cent of the annual operating grant up to a maximum of 16 million kroner.
The DPA registered 12,205 cases in 2018, including hearings regarding the drafting of laws and executive orders of importance for the protection of privacy, investigations, audits, security breaches and international cases, as opposed to 5,024 registrations in 2017.29
Data protection and privacy did not have great importance in Denmark before 25 May 2018, and the most obvious reason for this is without a doubt that infringement of the data protection regulation was subject to none or hardly any sanctions pre-GDPR. This is emphasised by the fact that the highest fine issued in Denmark prior to 25 May 2018 was 25,000 kroner.
It is safe to say that post-GDPR, data protection has been taken seriously by Danish companies and public authorities, which is largely as a result of the DPA's increased activities as discussed above. In 2019, the DPA has issued a series of reprimands, bans and warnings, and in two cases the DPA has reported a private company to the police for infringement of the GDPR with indicated fines of 1.5 million and 1.2 million kroner respectively, both regarding infringement of Article 5(1)(e) of the GDPR, because said companies stored personal data for longer periods than necessary for the purposes for which the data was processed.
ii Recent enforcement cases
The most significant recent cases are the above-mentioned cases, which are the first data protection enforcement cases in Denmark.
The first case relates to a taxi company that had stored approximately 9 million collection and drop-off points linked to customer telephone numbers that could therefore be linked to specific people. The taxi company had attempted to anonymise the information by erasing customer names and argued that a longer retention period regarding the telephone numbers was necessary for business development purposes and that telephone numbers were 'the key to the database'. The DPA stated that the taxi company had no legitimate purpose for the separate retention period regarding telephone numbers, and that a controller or processor cannot base a processing activity's purpose on the fact that a system makes it difficult to comply with the GDPR. The DPA reported the infringement to the police with an indicated fine of 1.2 million kroner.
The second case relates to a retail company that had stored personal data regarding approximately 385,000 private customers in a primarily phased system without setting a retention period for the data in question. In this case, the DPA has reported the infringement to the police with an indicated fine of 1.5 million kroner.
Both cases are based on DPA planned audits, and the indicated fines will – if sanctioned by the court – be the highest fines ever imposed in Denmark regarding a data protection infringement.
Neither case has been settled by the Danish district court, and due to their public importance, it is expected that both cases will be appealed to the Danish High Court and possibly even to the Danish Supreme Court.
In other cases, the DPA has refrained from reporting infringements to the police, even though the infringement appeared to be of the same nature as those mentioned above. The DPA has instead issued reprimands, ordered a processing activity to be brought into compliance with the GDPR or imposed temporary or definitive limitations on processing activities. The DPA, for example, imposed a temporary ban on one of Denmark's largest telecommunication companies for recording costumer calls without customer consent, even though the reason that the company did not collect costumer consent was that their system did not support this. The number of customer call recordings without legal grounds has not been published, but it seems that the nature of this infringement is at least as serious as the above-mentioned cases resulting in a police report.
Looking generally at the DPA's post-GDPR practice, it is still very difficult to deduce any guidance revealing which infringements will result in a police report with an indicated fine and a subsequent criminal case, and which infringements will entail less severe sanctions, such as a ban or a reprimand. However, it is hope that this will become clear in the years to come, when more criminal cases have been settled and DPA sanctions have been imposed.
iii Private litigation
According to Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR (or the Data Protection Act) shall have the right to receive compensation for the damage suffered. In many cases, private persons have insurance that covers legal expenses related to lawsuits, and there are almost no other options for free legal aid in Denmark. Private lawsuits regarding data protection are not common in Denmark, neither before nor after the GDPR came into force. Furthermore, Denmark has no tradition for pursuing claims by class action, which was first legalised in Denmark in 2008.
Due to the significantly increased public awareness regarding data protection post- GDPR, we may see more lawsuits where private individuals seek recovery (e.g., regarding data breaches or infringement of data subject rights). Nonetheless, an important basic principle of Danish law on damages is that a claim for damages can only cover the plaintiff's actual loss. In special cases – primarily criminal offences – the plaintiff may seek a special compensation (tort law) in addition to damages. According to Danish case law and the Danish Liability for Damages Act, a plaintiff may claim such compensation in cases regarding data protection; however, awarded amounts so far have been relatively small. Pre-GDPR, Danish courts awarded amounts of 5,000–25,000 kroner of compensation. No civil lawsuits have been settled in Denmark post-GDPR, but it is not expected that Danish courts will increase compensation amounts in future, mainly because compensation is regulated by the Danish Liability for Damages Act as opposed to the Data Protection legislation. It is thus likely that we will see more class actions in future, because the costs of a civil lawsuit in practice will be significantly higher than the potential compensation.
VIIi CONSIDERATIONS FOR FOREIGN ORGANISATIONS
There are no requirements for private controllers to store personal data exclusively in-country. Bookkeeping materials can be retained abroad but must be physically available in Denmark to a certain extent. The Danish Minister of Justice may, however, lay down rules to the effect that any personal data processed in specified IT systems and kept for public administrative authorities, must be stored, in full or in part, exclusively in-country. No such rules are in effect at the time of writing.
There is no general requirement from the government to access software or decryption codes. However, prior to the publishing of this book, a new law regarding cybersecurity was adopted. The law has been widely criticised as IT companies and experts believe that the law confers too much power on the National Center for Cybersecurity (CFCS).
The CFCS is part of the National Intelligence Service and is responsible for detecting, analysing and helping to address security incidents at affiliated authorities and private businesses.
Under the new law, the CFCS may, in special cases, require companies of special social importance and regions and municipalities to be connected to the network security service for the purpose of monitoring network communication. The order can only cover parts of the company, region or municipality with significant impact on Denmark's critical infrastructure.
Furthermore, the CFCS may process data in transmission (e.g., when the data is sent outside the organisation) or when it is stored locally on servers in the country from affiliated authorities and companies without a court order to support a high level of information security in society. Affected companies may be operators of drinking water supply and distribution, energy (electricity, oil and gas), transport, banking, health and financial and digital infrastructure, whereas online market operators, online search engines or cloud services are not considered to be critical infrastructure.
IX CYBERSECURITY AND DATA BREACHES
Denmark ranks seventh in the latest update of the international National Cybersecurity Index (NCSI).30
The NCSI is developed and maintained by the Estonian e-Governance Academy. The ranks are calculated based on 46 indicators within three main categories: 'general cyber security indicators', 'basic cyber security indicators' and 'event and crisis management indicators'.
The high ranking is primarily due to the fact that Denmark has implemented the EU Directive on Network and Information Security (NIST), which includes several security requirements and a notification obligation in case of security incidents.
Consequently, security breaches relating to personal data or other security events relating to significant parts of Denmark's infrastructure, for example supply, digital infrastructure, finance and telecommunications shall be reported to the relevant authorities.
In relation to information privacy standards, the ISO/IEC 27001 framework on information security is mandatory for all government and public authorities.
In relation to private companies, Section 115 of the Danish Companies Act stipulates that the board of directors of a capital company among other things must ensure that the company has an overview of the risks related to IT facilities within the company and that IT facilities are robust and reliable. Apart from this, no Danish laws lay down cybersecurity requirements (beyond the GDPR) to cover corporate networks, proprietary data, availability and integrity of business data.
In addition to the ISO/IEC 27001 framework, the SANS CIS Risk Assessment Method, SANS CIS Critical Security Controls or ISO/IEC 27005 on Information Technology – Security Techniques – Information Security Risk Management are generally used in relation to privacy and cybersecurity compliance.
The GDPR has probably had more effect on Danish society in general, including the Danish business community and public authorities, than any other law ever implemented in Denmark. Most companies still have comprehensive compliance work ahead, and many have still not commenced their compliance work even though more than one year has now passed since the GDPR came into force. In the years to come, DPA sanctioning and the pending criminal cases in Denmark as well as in Europe will form applicable case law and guidelines, both regarding the sanctioning level and, for example, specific retention periods; the extent of the legal grounds in the Data Protection legislation and will hopefully answer many of the unanswered key questions arising from the GDPR.
1 Tommy Angermair is a partner, Camilla Sand Fink is a senior associate and Søren Bonde is an assistant attorney at Clemens.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3 Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
4 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
5 EU's persondataforordning koster danske virksomheder ca. 8 mia. kr. af chefkonsulent Malthe Munkøe og analysekonsulent Jakob Kæstel Madsen, Dansk Erhverv, Maj 2018.
6 Section 1(3) of Data Protection Act.
7 The guidelines are only published in Danish and available at https://www.datatilsynet.dk/generelt-om-databeskyttelse/vejledninger-og-skabeloner/.
8 Guideline from the DPA concerning the rights of the data subject, p. 14.
9 DPA case No. 2018-832-0009.
10 DPA case No. 2018-832-0004.
11 DPA case No. 2018-31-0118.
12 Section 12(1) of the Data Protection Act.
13 DPA case No. 2018-31-0977.
14 Act No. 1286 of 02/11/2018.
15 Act No. 1190 of 11/10/2007.
16 The Danish Marketing Act No. 426 of 03/05/2017.
17 The European Economic Area includes all EU countries, Iceland, Liechtenstein and Norway.
18 The European Commission's list of approved countries at any given time is available on the European Commission's website: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
20 Bek nr. 1148 af 09-12-2010 om krav til information og samtykke ved lagring af eller adgang til oplysninger i slutbrugerens terminaludstyr (The Cookie Order) implementing Directive 2002/58/EC (the ePrivacy Directive).
21 According to the Danish Marketing Act, Article 10, a trader may not approach anyone by means of electronic mail, an automated calling system or fax for the purpose of direct marketing unless the party concerned has given his or her prior consent.
22 According to the Danish Consumer Act, a trader may not approach consumers by means of telephone for the purpose of direct marketing unless the consumer has given his or her prior consent.
23 Lov 2018-11-14, nr. 1284 Retsplejeloven (the Danish Administration of Justice Act).
24 The European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
25 The Clarifying Lawful Overseas Use Of Data Act, 23 March 2018 (The U.S. CLOUD Act).
26 Bek. nr. 462 af 23. maj 2016 om persondatasikkerhed i forbindelse med udbud af offentlige elektroniske kommunikationstjenester.
27 Datatilsynets årsrapport 2018, page 10.
28 The DPA's published audit plans for the first half of 2019: https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/jan/planlagte-tilsyn-i-foerste-halvaar-af-2019/.
29 The DPA's annual report for 2018, page 10.