Data & Privacy · Denmark
Data protection & privacy laws in Denmark (2026)
Denmark shaded by its data & privacy status
Denmark has a comprehensive, GDPR-style data-protection regime. The GDPR applies directly and is supplemented by the national Danish Data Protection Act, which entered into force alongside the GDPR on 25 May 2018 and exercises the regulation's member-state options (derogations). The independent supervisory authority is Datatilsynet, which oversees both public and private sectors but, distinctively, cannot levy administrative fines itself — penalties run through the criminal-justice system.
Key points
The GDPR applies directly as EU law and is supplemented by the Danish Data Protection Act (Act No. 502 of 23 May 2018), both effective from 25 May 2018, giving Denmark a full omnibus personal-data framework covering public and private sectors.
Datatilsynet (Danish Data Protection Agency), based in Copenhagen, is the independent supervisory authority. It is led by the Data Council (Datarådet) — a chair (a qualified lawyer) plus six members appointed by the Minister of Justice — supported by a secretariat.
Unlike most EU authorities, Datatilsynet cannot impose administrative fines directly; it reports cases recommending prosecution to the police, who investigate and may refer to the courts, which set any fine. GDPR's maximum ceilings (up to EUR 20m or 4% of global turnover) apply, but court-imposed fines have been comparatively low (largest to date DKK 1m, Arp-Hansen Hotels, 2023).
The Danish Act uses GDPR member-state options, including special rules for journalism, crime prevention, parliamentary work and legal proceedings; processing of personal data for personnel administration based on legislation or collective agreements; and disclosure of general personal data between businesses for marketing without consent, subject to checking an opt-out register.
Denmark set the age of digital consent at 13 (§ 6 of the Act). The Act also gives elevated protection to the CPR (national identification) number, restricting when public and private entities may process it.
For 2026 Datatilsynet has prioritised cookie-consent practices (targeting dark patterns, cookie walls, pre-ticked boxes and lack of genuine refusal, coordinating with Digitaliseringsstyrelsen), alongside monitoring via new technologies and personal-data security, including AI in devices and home patient-care monitoring.
Timeline - major decisions & events
Following its reassessment of the Google Chromebook/Workspace setup, Datatilsynet issued serious criticism of 51 municipalities for unlawful processing of pupils' data, showing the years-long schools dispute remains unresolved.
The Copenhagen Post ↗Datatilsynet extended its Helsingør ruling to all ~53 municipalities using the same Google Workspace for Education setup, issuing binding orders to fix third-country transfer and controller-control problems.
GDPRhub (Datatilsynet 2023-431-0001) ↗Datatilsynet reported Netcompany to police and recommended its largest-ever fine after a coding flaw in the mit.dk digital-mailbox authentication could let users access others' public-authority mail.
DataGuidance ↗The DPA found Google Analytics non-compliant with GDPR because it transfers personal data to the US without adequate safeguards post-Schrems II, making Denmark the fourth EU state to reach this conclusion.
DataGuidance ↗In a landmark decision, Datatilsynet banned Helsingør municipality's use of Google Chromebooks and Workspace for Education in primary schools and suspended US data transfers until GDPR-compliant.
TechCrunch ↗After the bank self-reported it could not document deletion across 400+ systems holding millions of customers' data, Datatilsynet filed a police report proposing a ~EUR 1.3m fine for retention/deletion failures.
EDPB ↗Datatilsynet proposed Denmark's first GDPR fine (DKK 1.2m) against taxi firm Taxa 4x35 for over-retaining customer phone numbers tied to ~9m rides, breaching the data-minimisation principle.
EDPB ↗Regulation (EU) 2016/679 (adopted 14 April 2016) took effect, directly applying in Denmark and establishing the core data-protection framework that supersedes the 1995 Directive.
EUR-Lex ↗Denmark enacted the Data Protection Act to supplement the GDPR with national derogations (e.g. on CPR numbers, employment and research) and designated Datatilsynet as supervisory authority.
Datatilsynet ↗Act No. 429 of 31 May 2000 transposed the EU Data Protection Directive 95/46/EC into Danish law, governing personal-data processing until replaced by the GDPR regime in 2018.
Council of Europe ↗The Private Registers Act and the Public Authorities' Registers Act introduced Denmark's first rules on personal-data registers, predating the EU framework and laying the groundwork for later laws.
GDPRhub ↗Denmark - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →