Denmark Data Privacy Laws: GDPR Implementation Guide (2026)

Denmark has earned a reputation as one of the more pragmatic GDPR implementers in the European Union. Rather than adding layers of national complexity on top of the regulation, the Danish Data Protection Act focuses on addressing specific areas where the GDPR grants member states flexibility.

What makes Denmark's approach distinctive is its enforcement model. Unlike most EU member states, the Danish data protection authority cannot directly impose fines. This structural choice has meaningful consequences for how data protection is enforced in practice.

Legal Framework and GDPR Implementation

Denmark's data protection regime rests on two primary legal instruments. The GDPR applies directly as EU law, and the Danish Data Protection Act (Databeskyttelsesloven) supplements it with national rules where the regulation permits or requires member state action.

The Danish Parliament passed the Data Protection Act on 17 May 2018, ensuring it took effect alongside the GDPR on 25 May 2018. Denmark was among the member states that had implementing legislation ready from day one, reflecting the country's tradition of early adoption of data protection standards.

The Act has been consolidated several times since its initial passage, with the most recent consolidation as Act No. 289 of 8 March 2024. These consolidations incorporate amendments and corrections made since the original enactment.

Historical Context

Denmark was an early mover on data protection in Europe. The country had comprehensive data protection legislation in place well before the GDPR, dating back to the Act on Processing of Personal Data of 2000, which itself implemented the 1995 EU Data Protection Directive. This long history means that Danish organizations generally had more mature compliance frameworks than many of their European counterparts when the GDPR arrived.

Supplementary Legislation

Beyond the main Data Protection Act, Denmark's data protection landscape includes the CCTV Act (TV-overvagningsloven), which governs video surveillance by private entities, and relevant provisions in the Marketing Practices Act, which implements the ePrivacy Directive's rules on cookies and electronic marketing.

Datatilsynet: Denmark's Data Protection Authority

The Datatilsynet (Danish Data Protection Agency) serves as Denmark's independent supervisory authority for data protection. The agency is responsible for supervising compliance with the GDPR and the Danish Data Protection Act across both public and private sectors.

Datatilsynet is led by a council consisting of a chairperson (who must be a qualified lawyer) and six members appointed by the Danish Minister of Justice. The agency operates with full independence from the government in its supervisory and enforcement activities.

The Unique Enforcement Model

Denmark's enforcement model is fundamentally different from most other EU member states. The Datatilsynet cannot impose administrative fines directly. Instead, when the agency identifies a GDPR violation warranting a financial penalty, it must file a report recommending prosecution.

The process then follows the criminal justice system. The police investigate the case, determine whether to bring formal charges, and if so, refer the matter to the courts. The court then assesses the case and determines the appropriate fine amount. This judicial involvement adds procedural safeguards for the organizations being fined but significantly lengthens the enforcement timeline.

This structural feature means that Denmark's GDPR fine statistics look different from other member states. Fines take longer to materialize, and the amounts may differ from what Datatilsynet originally recommended because the final decision rests with the judiciary.

Enforcement Powers Beyond Fines

While it cannot impose fines, Datatilsynet retains substantial enforcement powers. The agency can issue warnings, reprimands, and orders to data controllers and processors. It can order organizations to bring processing operations into compliance, impose temporary or permanent processing bans, and order the suspension of data flows to third countries. These non-financial enforcement tools are used regularly and can have significant practical impact on organizations.

Fines and Penalties

The GDPR's standard penalty framework applies in Denmark. Fines of up to EUR 10 million or 2% of worldwide annual turnover can be imposed for violations of controller and processor obligations, and fines of up to EUR 20 million or 4% of worldwide annual turnover apply to violations of core processing principles, data subject rights, and international transfer rules.

However, because fines must go through the court system, Denmark's actual enforcement record involves a multi-step process between Datatilsynet's recommendation and the final court-imposed fine.

Notable Enforcement Actions

Netcompany (2024): Datatilsynet recommended a fine of DKK 15 million (approximately EUR 2 million) against Netcompany, the company operating mit.dk, Denmark's digital mailbox system for receiving communications from public authorities. The agency found that Netcompany failed to implement appropriate technical and organizational measures, specifically discovering inappropriate coding in the user authentication component despite having conducted pre-launch testing. This was the largest fine recommendation in Danish GDPR history.

Danske Bank: Datatilsynet recommended a fine of approximately EUR 1.3 million against Danske Bank for lacking proper data storage and erasure procedures across more than 400 systems containing personal data of millions of customers. The case originated from a self-reported breach in 2020 when the bank discovered it could not demonstrate proper data deletion practices.

Taxa 4x35 (2019): In one of the earlier Danish GDPR cases, Datatilsynet recommended a fine of DKK 1.2 million against the Copenhagen taxi company for retaining personal data of approximately 9 million taxi rides for longer than necessary.

CPR Number Protections

One of Denmark's most significant national provisions concerns the CPR number (personnummer), the unique civil registration number assigned to every person registered in the Danish Civil Registration System.

The Danish Data Protection Act treats CPR numbers with elevated protection, similar to sensitive personal data. The rules for processing CPR numbers differ between public and private entities.

Public authorities may process CPR numbers when the processing is necessary for unambiguous identification of the data subject or when required by law. The standard is relatively straightforward for government functions that require precise identification.

Private entities face stricter requirements. They may only process CPR numbers when required by law, when the data subject has given explicit consent, when the data subject has made the number publicly available and processing is clearly in their interest, or when processing serves important public or private interests that outweigh the data subject's privacy concerns.

These restrictions reflect Denmark's recognition that the CPR number functions as a master identifier across government and private systems, making its misuse particularly dangerous for identity theft and unauthorized profiling.

CCTV Surveillance Rules

Denmark maintains a separate CCTV Act (TV-overvagningsloven) that governs video surveillance by private individuals and entities. Government CCTV use falls under the GDPR and general data protection rules rather than this specific act.

Private CCTV Surveillance

Private businesses may use CCTV on their own premises for security and crime prevention purposes. This is generally permitted without special authorization, provided the surveillance complies with GDPR principles including purpose limitation, data minimization, and transparency.

CCTV surveillance of public spaces by private entities is, as a general rule, prohibited. Private organizations that wish to monitor areas accessible to the public typically need police permission. Exceptions exist for certain types of businesses, such as gas stations and retail stores, where surveillance of immediately adjacent public areas may be justified for security reasons.

Retention Limits

Denmark imposes a strict retention period on CCTV recordings. Video footage must be deleted within 30 days unless it has been transferred to the police in connection with a criminal investigation. This 30-day rule is one of the more specific retention limits found in EU member state data protection legislation and provides clear guidance that many organizations appreciate.

Signage Requirements

Any area under CCTV surveillance must be clearly marked with visible signage informing people that recording is taking place. The signage must include information about who is responsible for the surveillance and how to contact them.

Age of Digital Consent

Denmark set the age at which children can independently consent to information society services at 13 years old. The GDPR allows member states to choose any age between 13 and 16, and Denmark opted for the lowest permitted threshold.

This means that Danish children aged 13 and older can create social media accounts, sign up for digital services, and consent to the processing of their personal data in connection with those services without parental involvement. For children under 13, consent must be given or authorized by a parent or guardian.

The choice of 13 reflects Denmark's generally progressive approach to digital literacy and children's autonomy, aligning with the country's broader educational and social policies.

Journalism and Freedom of Expression Exemptions

Denmark provides a broad journalism exemption from data protection rules. Processing carried out for journalistic purposes, or for academic, artistic, or literary expression, is exempt from most of the GDPR's substantive provisions (Chapters II through VII and Chapter IX).

This exemption is wider than what some other EU member states provide and reflects Denmark's strong tradition of press freedom. It means that journalists, academic researchers, and artists have substantial latitude to process personal data without meeting the full range of GDPR requirements, though they remain subject to certain basic principles.

Processing of Criminal Data

The Danish Data Protection Act contains specific provisions on processing personal data relating to criminal offenses, convictions, and security measures. For private entities, processing of criminal data is only permitted when necessary for the purpose of protecting legitimate interests and these interests clearly outweigh the interests of the data subject.

Public authorities have broader permissions to process criminal data, but must still comply with purpose limitation and other core GDPR principles.

Data Breach Notification

Standard GDPR breach notification requirements apply in Denmark. Controllers must notify Datatilsynet within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. Datatilsynet provides an online notification form and has published guidance on assessing breach severity.

When a breach is likely to result in high risk to affected individuals, the controller must also notify those individuals without undue delay. Datatilsynet has emphasized that organizations should have breach response procedures in place and should conduct regular testing of those procedures.

International Data Transfers

Denmark follows the standard GDPR framework for international data transfers. Transfers outside the EEA require an adequacy decision, appropriate safeguards (such as Standard Contractual Clauses or Binding Corporate Rules), or one of the specific derogations permitted under the GDPR.

Datatilsynet has been particularly active in providing guidance on Schrems II implications and the use of cloud services. The agency published guidance on the use of Google Workspace and Microsoft Office 365 in the public sector, concluding that certain configurations did not meet GDPR requirements for data transfers to the United States.

Practical Compliance Considerations

Organizations operating in Denmark should be aware of several distinctive features of the Danish data protection landscape.

The judicial enforcement model means that the threat of fines operates differently than in most EU countries. Datatilsynet's fine recommendations are not final, the ultimate penalty depends on court proceedings that may take months or years to conclude. However, the agency's non-financial enforcement powers (processing bans, compliance orders) can be imposed directly and may have more immediate practical impact.

CPR number handling requires careful attention. If your organization processes Danish civil registration numbers, you must ensure you have a valid legal basis under both the GDPR and the specific Danish Data Protection Act provisions.

CCTV operators should note the strict 30-day retention limit and the prohibition on private surveillance of public spaces without police permission. These rules are more specific than general GDPR requirements and are actively enforced.

Finally, organizations targeting services at Danish children should implement age verification mechanisms reflecting the 13-year consent threshold.

Relationship to Recording Laws

Denmark's data protection laws interact with its broader rules on recording and surveillance. While the CCTV Act governs video surveillance specifically, audio recording of conversations falls under both criminal law provisions and data protection requirements.

Any recording of individuals, whether audio or video, constitutes personal data processing under the GDPR and must comply with the regulation's requirements for lawful basis, transparency, and purpose limitation. This means that even where recording is permitted under Danish criminal law, the data protection overlay requires additional compliance steps.

Disclaimer: This article provides general information about Denmark's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Denmark for guidance on your specific situation.