Data & Privacy · Denmark
Data protection & GDPR compliance in Denmark (2026)
Denmark shaded by its data & privacy status
Data protection in Denmark: comprehensive law, under EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) as directly applicable EU law, supplemented nationally by the Danish Data Protection Act (Databeskyttelsesloven, Act No. 502 of 23 May 2018). Supervisory authority: Datatilsynet (Danish Data Protection Agency)..
Denmark has a comprehensive, GDPR-style data-protection regime. The GDPR applies directly and is supplemented by the national Danish Data Protection Act, which entered into force alongside the GDPR on 25 May 2018 and exercises the regulation's member-state options (derogations). The independent supervisory authority is Datatilsynet, which oversees both public and private sectors but, distinctively, cannot levy administrative fines itself, penalties run through the criminal-justice system.
GDPR & data protection in Denmark
In Denmark, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Danish Data Protection Agency (Datatilsynet).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Danish Data Protection Agency (Datatilsynet)
- Applies to
- any organisation processing the personal data of people in Denmark, wherever the organisation is based
- Maximum fine
- €20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Denmark supplements it with a national data-protection act and its own supervisory authority.
GDPR in Denmark: FAQ
Yes. As an EU/EEA member, Denmark applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Danish Data Protection Agency (Datatilsynet).
The Danish Data Protection Agency (Datatilsynet).
Up to €20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The GDPR applies directly as EU law and is supplemented by the Danish Data Protection Act (Act No. 502 of 23 May 2018), both effective from 25 May 2018, giving Denmark a full omnibus personal-data framework covering public and private sectors.
Datatilsynet (Danish Data Protection Agency), based in Copenhagen, is the independent supervisory authority. It is led by the Data Council (Datarådet), a chair (a qualified lawyer) plus six members appointed by the Minister of Justice, supported by a secretariat.
Unlike most EU authorities, Datatilsynet cannot impose administrative fines directly; it reports cases recommending prosecution to the police, who investigate and may refer to the courts, which set any fine. GDPR's maximum ceilings (up to EUR 20m or 4% of global turnover) apply, but court-imposed fines have been comparatively low (largest to date DKK 1m, Arp-Hansen Hotels, 2023).
The Danish Act uses GDPR member-state options, including special rules for journalism, crime prevention, parliamentary work and legal proceedings; processing of personal data for personnel administration based on legislation or collective agreements; and disclosure of general personal data between businesses for marketing without consent, subject to checking an opt-out register.
Denmark set the age of digital consent at 13 (§ 6 of the Act). The Act also gives elevated protection to the CPR (national identification) number, restricting when public and private entities may process it.
For 2026 Datatilsynet has prioritised cookie-consent practices (targeting dark patterns, cookie walls, pre-ticked boxes and lack of genuine refusal, coordinating with Digitaliseringsstyrelsen), alongside monitoring via new technologies and personal-data security, including AI in devices and home patient-care monitoring.
Timeline - major decisions & events
Following its reassessment of the Google Chromebook/Workspace setup, Datatilsynet issued serious criticism of 51 municipalities for unlawful processing of pupils' data, showing the years-long schools dispute remains unresolved.
The Copenhagen Post ↗Datatilsynet extended its Helsingør ruling to all ~53 municipalities using the same Google Workspace for Education setup, issuing binding orders to fix third-country transfer and controller-control problems.
GDPRhub (Datatilsynet 2023-431-0001) ↗Datatilsynet reported Netcompany to police and recommended its largest-ever fine after a coding flaw in the mit.dk digital-mailbox authentication could let users access others' public-authority mail.
DataGuidance ↗The DPA found Google Analytics non-compliant with GDPR because it transfers personal data to the US without adequate safeguards post-Schrems II, making Denmark the fourth EU state to reach this conclusion.
DataGuidance ↗In a landmark decision, Datatilsynet banned Helsingør municipality's use of Google Chromebooks and Workspace for Education in primary schools and suspended US data transfers until GDPR-compliant.
TechCrunch ↗After the bank self-reported it could not document deletion across 400+ systems holding millions of customers' data, Datatilsynet filed a police report proposing a ~EUR 1.3m fine for retention/deletion failures.
EDPB ↗Datatilsynet proposed Denmark's first GDPR fine (DKK 1.2m) against taxi firm Taxa 4x35 for over-retaining customer phone numbers tied to ~9m rides, breaching the data-minimisation principle.
EDPB ↗Regulation (EU) 2016/679 (adopted 14 April 2016) took effect, directly applying in Denmark and establishing the core data-protection framework that supersedes the 1995 Directive.
EUR-Lex ↗Denmark enacted the Data Protection Act to supplement the GDPR with national derogations (e.g. on CPR numbers, employment and research) and designated Datatilsynet as supervisory authority.
Datatilsynet ↗Act No. 429 of 31 May 2000 transposed the EU Data Protection Directive 95/46/EC into Danish law, governing personal-data processing until replaced by the GDPR regime in 2018.
Council of Europe ↗The Private Registers Act and the Public Authorities' Registers Act introduced Denmark's first rules on personal-data registers, predating the EU framework and laying the groundwork for later laws.
GDPRhub ↗Denmark - other topics
Data & Privacy in other countries
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →