Denmark Data Privacy Laws: GDPR, Datatilsynet & AI Act Guide (2026)

Denmark implements the EU General Data Protection Regulation directly as binding law, supplemented by the Danish Data Protection Act (Databeskyttelsesloven, Act No. 502 of 23 May 2018, consolidated as Act No. 289 of 8 March 2024). A constitutional peculiarity sets Denmark apart from every other EU member state: Datatilsynet cannot impose GDPR fines directly. All financial penalties must flow through the criminal courts under GDPR Recital 151.

Information last verified on 2026-05-19. This article has not been reviewed by a licensed lawyer.

Jurisdiction scope: This article covers Denmark's national data protection law, including the GDPR as applied in Denmark, the Danish Data Protection Act (Act No. 502 of 2018), the Danish TV Surveillance Act, and Law No. 467 of 14 May 2025 implementing the EU AI Act. It does not address the Faroe Islands or Greenland, which are outside EU law. For EU-wide GDPR rules that apply across all member states, see EU data privacy laws. For Denmark's recording and surveillance rules, see Denmark recording laws.

Quick Answer: How Does Data Protection Work in Denmark?

Denmark protects personal data through two overlapping legal frameworks. The GDPR applies as directly binding EU law for all personal data processing by controllers and processors established in Denmark, or processing that targets Danish residents. The Danish Data Protection Act supplements the GDPR in areas where the regulation grants member states flexibility: child consent, CPR numbers, criminal data, journalistic exemptions, and the structure of enforcement. Datatilsynet (the Danish Data Protection Agency) supervises compliance, investigates complaints, and can impose orders, warnings, reprimands, and processing bans. However, Datatilsynet cannot directly levy the financial penalties that the GDPR authorises. Under GDPR Recital 151, Denmark routes all fines through the criminal courts, with Datatilsynet filing a report to police who investigate and refer to the judiciary. This constitutional arrangement is unique among EU member states (shared only with Estonia, which uses a misdemeanor route) and has meaningful consequences for the speed and size of enforcement outcomes.

The Legal Framework: GDPR and the Danish Data Protection Act

The GDPR (Regulation (EU) 2016/679) has applied directly in Denmark since 25 May 2018. Unlike a directive, it required no transposition: it became part of Danish law automatically upon entry into force. The Danish Parliament passed the Danish Data Protection Act (Lov om behandling af personoplysninger, Act No. 502 of 23 May 2018) on 17 May 2018 to ensure the supplementary national provisions were in place on day one. The Act has been consolidated twice since original enactment; the current consolidation is Act No. 289 of 8 March 2024.

Jurisdiction note: The Danish Data Protection Act explicitly states that it does not apply to the Faroe Islands or Greenland. Those territories have separate legal systems and are outside the EU.

Denmark's data protection tradition predates the GDPR. The country had comprehensive legislation in place since 2000 implementing the 1995 EU Data Protection Directive, which itself followed Denmark's 1978 Private Registers Act and 1979 Public Authorities' Registers Act. This long history means most Danish organisations entered the GDPR era with mature compliance frameworks already in place.

Beyond the main Data Protection Act, Denmark's data protection landscape includes:

• The Danish TV Surveillance Act (TV-overvagningsloven), governing video surveillance by private entities
• The Danish Law Enforcement Act (Databeskyttelsesloven for retshandling), implementing the Law Enforcement Directive for criminal justice processing
• The Marketing Practices Act, which implements the ePrivacy Directive's cookie and electronic-marketing rules (the Cookiebekendtgorelsen)
• Law No. 467 of 14 May 2025, implementing enforcement powers under the EU AI Act (in force 2 August 2025)

Datatilsynet: Structure, Powers, and the Court-Based Fine Model

Datatilsynet (the Danish Data Protection Agency) is Denmark's independent supervisory authority under Article 51 GDPR. The agency is led by a council comprising a chairperson (who must be a qualified lawyer) and six members, appointed by the Minister of Justice. Datatilsynet operates with full independence from the government in its supervisory and enforcement activities, and participates in the European Data Protection Board (EDPB) alongside all other EU supervisory authorities.

Datatilsynet reported a record 18,816 new cases in 2024, an increase of 754 cases from 2023. Of those, 9,624 were data breach notifications. In 2025, the agency managed 9,849 breach notifications and 2,653 supervision-related cases.

The Court-Based Fine Model: GDPR Recital 151

Denmark's constitutional structure does not permit administrative authorities to impose punitive financial penalties. This is not an oversight in Denmark's GDPR implementation; GDPR Recital 151 explicitly anticipates and accommodates it:

"The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts, as a criminal penalty, provided that such application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. The fines imposed should be effective, proportionate and dissuasive."

In practice, when Datatilsynet identifies a violation serious enough to warrant a fine, the process follows these steps:

1. Datatilsynet completes its investigation and issues a written decision with a recommended fine amount.
2. Datatilsynet files a police report (politianmeldelse) with the recommended fine.
3. The police investigate the case independently and decide whether to bring formal charges.
4. If charges are brought, the case is referred to the criminal courts.
5. The court reviews the evidence, considers the Datatilsynet recommendation, and imposes whatever fine it finds proportionate.

This model adds substantial procedural safeguards for organisations but lengthens enforcement timelines significantly. Cases can take years from Datatilsynet's recommendation to a final court judgment. Courts also regularly reduce Datatilsynet's recommended amounts. The Eastern High Court imposed DKK 1 million on Arp-Hansen Hotels in 2023 after Datatilsynet had recommended DKK 1.1 million.

Enforcement Powers Beyond Fines

While it cannot impose fines, Datatilsynet holds substantial non-financial enforcement powers that can be applied directly and immediately:

• Warnings for potential future violations
• Reprimands for established violations of the GDPR
• Compliance orders requiring organisations to bring processing into line with the GDPR
• Temporary or permanent processing bans
• Suspension of data flows to third countries
• Orders to notify affected data subjects of a breach

These non-financial tools are actively used and can carry serious operational consequences. A processing ban on a core business system can disrupt operations far more immediately than a fine that will not be resolved for years in the courts.

Legal Bases and Consent Under Danish Law

Denmark applies the standard six legal bases under GDPR Article 6: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The Danish Data Protection Act adds no additional Article 6 bases but modifies how some apply in the national context.

For consent to be valid under GDPR Article 7 as applied in Denmark, it must be freely given, specific, informed, and unambiguous. Datatilsynet updated its consent guidance in 2021, clarifying several points:

• Public authorities face a higher threshold for relying on consent given the inherent power imbalance between authority and citizen. Datatilsynet's position is that consent is rarely a valid basis for public-sector processing.
• Scrolling or swiping through a page does not constitute an unambiguous indication of consent to data processing.
• Consent must be as easy to withdraw as to give. Pre-ticked boxes and bundled consents are invalid.

For employment relationships, section 12 of the Danish Data Protection Act provides that consent may be used as a basis only where the conditions of Article 7 GDPR are genuinely met, recognising that employees may not freely consent given the employer-employee power dynamic.

Special Category Data

GDPR Article 9 applies in Denmark for special categories (health, racial or ethnic origin, political opinions, religious beliefs, genetic and biometric data, trade union membership, sex life or sexual orientation). Section 7 of the Danish Data Protection Act adds national conditions for processing health data, and section 8 covers criminal data processing.

Data Subject Rights

All GDPR Chapter III rights apply in Denmark without material modification:

Data subjects may lodge complaints with Datatilsynet free of charge. Datatilsynet must investigate complaints unless they are manifestly unfounded or excessive.

A significant development in 2025 was a Danish High Court ruling on 20 August 2025 awarding EUR 335 in non-material compensation to a data subject whose health information was wrongfully shared by a municipality, relying on GDPR Article 82. The claimant has appealed to the Supreme Court seeking higher compensation and extension of the award to her spouse. If the Supreme Court upholds the approach, commentators suggest it could reshape class-action litigation risk for Danish organisations facing large-scale breaches.

CPR Number Protections

One of Denmark's most distinctive national provisions concerns the CPR number (personnummer), the unique civil registration number assigned to every person registered in Denmark's Civil Registration System. CPR numbers function as master identifiers across government and private systems, enabling linkage of datasets in ways that make their misuse a serious privacy risk.

Section 11 of the Danish Data Protection Act provides a specific regime for CPR numbers that sits alongside, not instead of, GDPR Article 6. A controller that has a valid Article 6 legal basis must also satisfy section 11 to process CPR numbers.

For public authorities, processing is permitted when necessary for unambiguous identification of the data subject or when required by statutory provision.

For private entities, the permitted grounds are narrower:

• Processing is required by statutory law
• The data subject has given explicit consent to the processing
• Processing of a CPR number that the data subject has made publicly available is clearly in the data subject's interest
• Processing is necessary for the pursuit of legitimate interests and those interests clearly outweigh the interests of the data subject
• Processing is necessary for statistical or scientific research subject to adequate safeguards

Private-sector organisations should not assume that a valid GDPR Article 6 basis (for example, contract performance) automatically authorises CPR number processing. A separate section 11 justification is required.

Data Protection Officers (DPOs)

Denmark follows GDPR Article 37(1) for mandatory DPO appointments without adding additional national obligations. A DPO must be designated when the organisation is:

• A public authority or body (except courts acting in their judicial capacity)
• An entity whose core activities require large-scale, regular, and systematic monitoring of individuals (for example, online behavioural tracking at scale)
• An entity whose core activities consist of large-scale processing of special category data or data relating to criminal convictions and offences

Section 24 of the Danish Data Protection Act adds one specific obligation for DPOs designated under grounds (b) and (c): those DPOs are subject to a statutory confidentiality obligation and may not disclose or exploit information acquired in connection with their DPO duties. This is a stricter confidentiality obligation than the GDPR itself imposes.

DPOs must report directly to the highest management level, must be involved in all data protection issues in a timely manner, and cannot be dismissed or penalised for performing their DPO tasks. The DPO's contact details must be published and communicated to Datatilsynet.

Breach Notification

Denmark applies the standard GDPR breach notification framework:

• Controllers must notify Datatilsynet within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms (GDPR Article 33)
• When a breach is likely to result in high risk to affected individuals, the controller must notify those individuals without undue delay (GDPR Article 34)
• Processors must notify their controller without undue delay upon becoming aware of a breach

Datatilsynet provides an online notification portal and has published detailed guidance on assessing breach risk levels. The agency emphasised in its 2024 report that many breach notifications it receives are submitted late, and that organisations should have documented breach response procedures tested in advance.

Data breach reporting volumes have increased substantially year on year. Datatilsynet received 9,624 breach notifications in 2024 and 9,849 in 2025.

CCTV Surveillance: The TV Surveillance Act

Denmark maintains a separate TV Surveillance Act (TV-overvagningsloven) governing video surveillance by private individuals and entities. Government CCTV in public spaces is governed by the GDPR and general data protection rules rather than this act.

Permitted private CCTV: Private businesses may conduct CCTV on their own premises (interior and immediately adjacent exterior areas) for security and crime prevention purposes without special authorisation, subject to GDPR compliance requirements.

Public space prohibition: Private entities are, as a general rule, prohibited from conducting CCTV surveillance of public spaces. Exceptions exist for certain categories of business where surveillance of adjacent public areas is justified by security considerations, but these require assessment against the general prohibition.

30-day retention limit: CCTV recordings must be deleted within 30 days of capture. The only exception is footage transferred to the police in connection with a criminal investigation. This bright-line rule provides clarity for operators but means footage from an incident more than 30 days old will generally be unavailable.

Signage requirement: Any area under CCTV surveillance must display clear visible signage identifying the responsible entity and providing contact information. Failure to post adequate signage is a standalone compliance issue.

Age of Digital Consent

Section 6(3) of the Danish Data Protection Act sets the age of consent for information society services at 13 years. Children aged 13 and older may independently consent to the processing of their personal data in connection with digital services such as social media platforms and online applications, without parental authorisation. For children under 13, consent must be given or authorised by a parent or guardian.

This choice reflects the minimum threshold the GDPR permits member states to select (GDPR Article 8(1)) and aligns Denmark with other member states that opted for the lowest permitted age.

Watch out: Denmark is separately considering social media age-limit legislation that would require a minimum age of 15 years for access to designated platforms, or 13 with parental consent, under a Digital Services Act Article 28 framework. As of May 2026, this initiative has been announced politically but has not been enacted into law. The current GDPR consent age under section 6(3) of the Danish Data Protection Act remains 13.

Journalism and Freedom of Expression Exemptions

Section 3 of the Danish Data Protection Act provides a broad exemption for processing carried out for journalistic purposes, or for academic, artistic, or literary expression. Such processing is exempt from most of the substantive GDPR provisions (Chapters II through VII and IX).

This exemption is wider than what many other EU member states provide and reflects Denmark's strong constitutional tradition of press freedom. Journalists, academic researchers, and artists retain substantial latitude to process personal data without meeting the GDPR's full compliance requirements.

Processing of Criminal Data

Section 8 of the Danish Data Protection Act governs private-sector processing of personal data relating to criminal offences, convictions, and security measures. For private entities, processing of criminal data is only permitted when it is necessary for the purpose of protecting legitimate interests, and those interests clearly outweigh the interests of the data subject.

Public authorities have broader permissions to process criminal data but must still comply with purpose-limitation and other core GDPR principles. This bifurcation between public and private actors reflects the Danish legislature's judgment that private organisations have weaker justifications for processing sensitive criminal-history information.

Cross-Border Data Transfers

Denmark follows the standard GDPR Chapter V framework for international transfers. Transfers of personal data outside the EEA require one of:

• An adequacy decision by the European Commission (covering countries such as the UK, Switzerland, Canada, Japan, South Korea, and the US under the EU-US Data Privacy Framework)
• Appropriate safeguards including Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or approved codes of conduct
• Specific derogations under GDPR Article 49 (consent, contract necessity, vital interests, legal claims, public interest)

Datatilsynet declared the use of Google Analytics unlawful in September 2022 on the basis that it transferred personal data to the United States without adequate safeguards following the CJEU's Schrems II ruling. While the EU-US Data Privacy Framework (adopted July 2023) resolved the specific adequacy gap, Datatilsynet has maintained that DPF compliance is necessary but not sufficient for lawful analytics use. Organisations must also have valid cookie consent, a data processor agreement with Google, and compliance with all GDPR data-minimisation and purpose-limitation requirements.

In 2022 and 2023, Datatilsynet also published guidance on Google Workspace and Microsoft 365 in the public sector, concluding that certain configurations did not comply with GDPR transfer requirements. Public bodies have had to review and update configurations and data processing agreements accordingly.

Penalties and Enforcement Record

The GDPR's standard penalty tiers apply in Denmark:

• Up to EUR 10 million or 2% of worldwide annual turnover (whichever is higher) for violations of controller and processor obligations under Articles 8, 11, 25-39, 42, and 43
• Up to EUR 20 million or 4% of worldwide annual turnover (whichever is higher) for violations of core processing principles, data subject rights, international transfer rules, and supervisory authority orders

Because Datatilsynet cannot impose these amounts directly, the practical enforcement record differs significantly. Datatilsynet recommends fines to police; courts impose them as criminal penalties.

Court-Imposed Fines to Date

Pending Recommended Fines (Not Yet Court-Confirmed)

The gap between recommended and court-imposed amounts is a structural feature of Denmark's enforcement landscape. Organisations should not assume that lower court fines mean lower compliance risk. Datatilsynet's non-financial enforcement tools, processing bans, compliance orders, and public reprimands, are applied directly and carry immediate operational consequences.

The EU AI Act: Law No. 467 of 14 May 2025

Denmark became one of the first EU member states to enact national legislation implementing the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) when Parliament adopted Law No. 467 on 8 May 2025. The law entered into force on 2 August 2025, the same date that the EU AI Act's provisions on prohibited AI practices and general-purpose AI became applicable.

Law No. 467 is a targeted supplementary act. The EU AI Act itself applies directly as EU law and does not require transposition. Law No. 467 does the procedural and institutional work the EU AI Act requires member states to perform: it designates national competent authorities, establishes inspection and enforcement powers at national level, and creates a criminal sanctions framework. The law does not apply to the Faroe Islands or Greenland.

Designated National Authorities Under Law No. 467

Denmark took a centralized multi-authority approach rather than designating sector-specific regulators:

The Digitaliseringsstyrelsen acts as the primary coordinating body and Denmark's single point of contact with the European Commission and the EU AI Office.

Enforcement Powers Under Law No. 467

The designated authorities may:

• Demand and collect all relevant technical information about AI systems from providers and deployers
• Conduct on-site inspections of business premises without prior judicial authorisation
• Issue injunctions requiring immediate remediation of non-compliant AI systems
• Impose temporary bans on AI systems using prohibited practices
• Issue criminal fines (exclusively financial in nature) with a five-year limitation period
• Publish decisions about prohibited AI use

Consistent with Denmark's constitutional framework for financial penalties, AI Act fines under Law No. 467 are criminal penalties imposed through the courts, not administrative fines.

Watch out: Law No. 467 was designed as an initial measure covering the early provisions of the EU AI Act (primarily the Article 5 prohibited practices that became applicable on 2 August 2025). A comprehensive successor law addressing the full scope of the EU AI Act was under development as of May 2026. Organisations subject to the AI Act should monitor guidance from Digitaliseringsstyrelsen and Datatilsynet.

Recent Developments (2024-2026)

Cookie compliance enforcement (2025-2026): Datatilsynet has made cookie consent a priority enforcement area. Agency research found 84% of Danish websites had cookie compliance violations as of 2025. Datatilsynet reprimanded major media publishers JP/Politikens Hus and Berlingske for consent practices including colour-coded nudging (green accept, grey reject buttons) and cookie walls conditioning content access on analytics consent. Denmark has no consent exemption for analytics cookies; the Cookiebekendtgorelsen recognises only two narrow exemptions: cookies strictly necessary for communications and cookies strictly necessary for explicitly requested services.

Google Analytics position updated (2023-2026): Following the EU-US Data Privacy Framework in July 2023, Datatilsynet confirmed that the specific data transfer issue underlying its 2022 unlawfulness finding is resolved for DPF-compliant configurations. The agency nevertheless maintained that DPF adequacy alone does not make Google Analytics lawful. Valid prior-consent mechanisms, compliant data processor agreements, and data-minimisation compliance remain mandatory.

Netcompany recommendation (January 2024): Datatilsynet recommended Denmark's largest-ever GDPR fine, DKK 15 million, against Netcompany for security failures in the mit.dk national digital mailbox system. The agency found Netcompany had not implemented privacy-by-design, had not conducted a required data protection impact assessment (DPIA), and had deployed inappropriate coding in the user authentication component despite pre-launch testing. The case is pending in the courts as of May 2026.

GDPR compensation ruling (August 2025): Denmark's High Court awarded EUR 335 in non-material compensation under GDPR Article 82 to a data subject whose health information was wrongly shared by a municipality. The claimant appealed to the Supreme Court to increase the amount and extend it to her spouse. A Supreme Court ruling upholding the approach would significantly expand litigation risk for Danish organisations facing large-scale data breaches.

AI Act enforcement begins (August 2025): With Law No. 467 in force from 2 August 2025, organisations operating prohibited AI systems in Denmark face criminal prosecution. Datatilsynet is the designated market surveillance authority for AI systems involving personal data. The agency published initial guidance on how AI Act obligations interact with GDPR requirements, given that many AI systems process personal data and therefore fall under both frameworks simultaneously.

EU Digital Omnibus proposals (2025): Denmark, as EU Council President in the second half of 2025, circulated proposals to revise the ePrivacy framework, including possible exemptions for certain analytics and technical cookies. These proposals remain in the EU legislative process and would not take effect until 2027 at the earliest if adopted.

Business Compliance Checklist

Organisations operating in Denmark should address the following specific features of the Danish data protection landscape:

CPR number handling: Confirm that any processing of Danish civil registration numbers has a valid legal basis under both GDPR Article 6 and section 11 of the Danish Data Protection Act. A contract-performance basis for the main processing activity does not automatically authorise CPR number use.

CCTV compliance: Review retention schedules to confirm recordings are deleted within 30 days. Audit signage at all surveilled premises. Confirm that surveillance does not extend to public spaces in breach of the TV Surveillance Act.

Cookie consent: Conduct a cookie audit. Denmark applies no analytics consent exemption. All non-strictly-necessary cookies require prior opt-in consent. Review consent management platform configuration to eliminate nudging patterns that Datatilsynet has found to invalidate consent.

Child services: If services are offered to individuals, implement age verification for users under 13. The statutory threshold under section 6(3) of the Data Protection Act is 13. Monitor pending social media legislation that may raise this to 15 for certain platforms.

AI systems: Classify all AI systems used in Denmark against the EU AI Act risk tiers. For high-risk AI systems, prepare compliance documentation for Datatilsynet or Digitaliseringsstyrelsen on request. Confirm that no operations fall within the Article 5 prohibited AI categories.

Breach response: Document and test breach notification procedures. The 72-hour clock runs from when any member of the organisation becomes aware of the breach, not when senior management is formally notified. Datatilsynet has noted a high rate of late notifications.

Enforcement model awareness: When assessing the risk of a GDPR violation, account for the two-phase enforcement model. Datatilsynet can impose processing bans and compliance orders immediately. Financial fines take longer but are criminal penalties and carry a criminal record for the organisation.

Relationship to Recording and Surveillance Laws

Denmark's data protection rules interact directly with its broader surveillance and recording laws. Any recording of individuals, whether audio or video, constitutes personal data processing under the GDPR and requires a valid Article 6 legal basis, transparency obligations under Articles 13 and 14, and compliance with purpose-limitation and data-minimisation principles.

The CCTV provisions of the TV Surveillance Act layer on top of GDPR for video surveillance specifically. For audio recording, Danish criminal law provides the primary consent framework, with GDPR compliance required in addition. For a full analysis of Denmark's recording consent rules, see Denmark recording laws.

---

Disclaimer: This article provides general legal information about Denmark's data privacy laws as of May 2026. It does not constitute legal advice. Data protection laws change frequently, and the interaction of GDPR, national implementing legislation, and emerging AI regulation continues to evolve. Consult a lawyer qualified in Danish law for advice on your specific situation. Statutes cited reflect their in-force versions as verified on 2026-05-19.