The Danish Parliament approved the Data Protection Act, May 23, 2018. The law brings the country's data protection regime in line with the EU General Data Protection Regulation.
The lawmaking process
The preparation for the act went on for two years and included several committees and working groups. In May 2017, a very comprehensive report was published (more than 1300 pages) in which each of the GDPR’s articles were analyzed and compared with existing legislation, and recommendations for new a law were given.
The proposal for the new Data Protection Act was presented to Parliament Oct. 25, 2017, and most people expected the act to be adopted before the end of 2017, giving private and public organizations time to adopt the new law. However, one provision lead to a lot of debate both in Parliament and in the public, causing the adoption of the act to extend until May 23, 2018. The provision gives the competent minister the power to allow public authorities to further process data (except health data) for purposes other than what it was collected for — irrespective of the compatibility of the purposes. The competent minister will have to hear the Justice Department — but there will be no parliamentary involvement. And data subjects’ rights are limited, cf. GDPR Article 23. Despite the long debate, the act was passed in Parliament with only minor amendments by a small majority of the votes.
The geographical scope of the Data Protection Act
The act applies to all processing performed by or on behalf of controllers or processors established in Denmark — no matter where the processing takes place. It further applies to processing by controllers or processors established outside Denmark if it is done in connection with offering goods or services to persons situated in Denmark or monitoring of such persons if the monitored behavior takes place in Denmark.
The content of the Data Protection Act
The act re-enacts to a very large extend the pre-existing law from the Personal Data Act and it includes a lot of specific regulation not regulated in the GDPR.
The areas where the Data Protection Act extends to areas not covered by the GDPR are, in summary:
- Manual disclosure of personal information between administrative authorities are covered.
- Information on legal persons (limited companies, etc.) are covered when processing is carried out by credit information agencies. The act contains several provisions on credit information agencies and disclosure of debt to public authorities.
- Video surveillance is covered even outside the scope of the GDPR (e.g., surveillance performed by private households or via manual (analogue) equipment).
- The act also applies to information about deceased persons (normally until 10 years after their death).
Derogations. The specific derogations from the GDPR can be seen here. But in summary, the most important derogations are the following:
The act allows processing of normal and sensitive data in connection with personnel administration on the basis of legitimate interests that arises from legislation or collective agreements. This also applies to public authorities which cannot normally rely on legitimate interest. It is stated in the act that consent may be used as legal basis for processing HR-data, which is contrary to Article 29 Working Party opinions.
The act allows disclosure of general personal data between enterprises for marketing purposes without consent, provided an opt-out register is checked first. However, the actual marketing will have to comply with the Danish Marketing Practices Act— which implements the rules in the ePrivacy Directive on direct electronic marketing.
Exceptions to the duty of disclosure and the right to access applies not only to matters of essential public interest but also to private controllers’ vital private interest (e.g., business secrets).
Mass media and their information databases are generally exempted from the act and large parts of the GDPR to protect the freedom of speech.
The act has specific provisions on processing of Social Security numbers and data concerning criminal offenses. These provisions are less restrictive than GDPR Article 9 but more restrictive than Article 6. The age limit for consent from children in order to use information society services (social media, apps, etc.) has been lowered to 13 years.
Prior approval from the Danish Data Protection Agency is required before establishing warning registers, credit rating agencies and judicial information systems.
As mentioned above under the lawmaking process, the possibility for public authorities to process data for a new purpose is extended and transparency obligations are limited when processing for a new purpose.
The current structure of the Danish Data Protection Agency with a council and a secretariat is re-enacted. The DPA has been provided additional funding and staff in 2018 — increased by about 50 percent (now between 50 and 60 employees).
The Danish Data Protection Agency can impose penalty notices in uncomplicated matters. In all other situations, matters concerning penalties for infringement of the data protection legislation in the form of fines must be brought before the courts. Until appropriate levels of fines have been set by Danish courts, all fines will be handled in courts in a number of test cases.
The first fine under the GDPR is yet to be seen in Denmark, but the first cases have been reported to the police. The DPA has been quite busy handling data breach notification and complaints and providing guidance to businesses and authorities. About 80 data breach notifications are received each week — making Denmark number one in the EU on the number of reported breaches when the size of the population is taken into account.
If you want to comment on this post, you need to login.