Skip to content
World Watch/Denmark/Data & Privacy

Data & Privacy · Denmark

Data protection & GDPR compliance in Denmark (2026)

Comprehensive lawEU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) as directly applicable EU law, supplemented nationally by the Danish Data Protection Act (Databeskyttelsesloven, Act No. 502 of 23 May 2018). Supervisory authority: Datatilsynet (Danish Data Protection Agency).Country index 90 · A+

Denmark shaded by its data & privacy status

Data protection in Denmark: comprehensive law, under EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) as directly applicable EU law, supplemented nationally by the Danish Data Protection Act (Databeskyttelsesloven, Act No. 502 of 23 May 2018). Supervisory authority: Datatilsynet (Danish Data Protection Agency)..

Denmark has a comprehensive, GDPR-style data-protection regime. The GDPR applies directly and is supplemented by the national Danish Data Protection Act, which entered into force alongside the GDPR on 25 May 2018 and exercises the regulation's member-state options (derogations). The independent supervisory authority is Datatilsynet, which oversees both public and private sectors but, distinctively, cannot levy administrative fines itself, penalties run through the criminal-justice system.

GDPR & data protection in Denmark

In Denmark, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Danish Data Protection Agency (Datatilsynet).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Danish Data Protection Agency (Datatilsynet)
Applies to
any organisation processing the personal data of people in Denmark, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Denmark supplements it with a national data-protection act and its own supervisory authority.

GDPR in Denmark: FAQ

Does the GDPR apply in Denmark?

Yes. As an EU/EEA member, Denmark applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Danish Data Protection Agency (Datatilsynet).

Who enforces data protection law in Denmark?

The Danish Data Protection Agency (Datatilsynet).

What are the GDPR fines in Denmark?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Denmark?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Denmark?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Comprehensive GDPR-based regime

The GDPR applies directly as EU law and is supplemented by the Danish Data Protection Act (Act No. 502 of 23 May 2018), both effective from 25 May 2018, giving Denmark a full omnibus personal-data framework covering public and private sectors.

Supervisory authority, Datatilsynet

Datatilsynet (Danish Data Protection Agency), based in Copenhagen, is the independent supervisory authority. It is led by the Data Council (Datarådet), a chair (a qualified lawyer) plus six members appointed by the Minister of Justice, supported by a secretariat.

Distinctive enforcement model, no direct administrative fines

Unlike most EU authorities, Datatilsynet cannot impose administrative fines directly; it reports cases recommending prosecution to the police, who investigate and may refer to the courts, which set any fine. GDPR's maximum ceilings (up to EUR 20m or 4% of global turnover) apply, but court-imposed fines have been comparatively low (largest to date DKK 1m, Arp-Hansen Hotels, 2023).

National derogations under the Act

The Danish Act uses GDPR member-state options, including special rules for journalism, crime prevention, parliamentary work and legal proceedings; processing of personal data for personnel administration based on legislation or collective agreements; and disclosure of general personal data between businesses for marketing without consent, subject to checking an opt-out register.

Child consent age and CPR numbers

Denmark set the age of digital consent at 13 (§ 6 of the Act). The Act also gives elevated protection to the CPR (national identification) number, restricting when public and private entities may process it.

2026 supervisory priorities

For 2026 Datatilsynet has prioritised cookie-consent practices (targeting dark patterns, cookie walls, pre-ticked boxes and lack of genuine refusal, coordinating with Digitaliseringsstyrelsen), alongside monitoring via new technologies and personal-data security, including AI in devices and home patient-care monitoring.

Timeline - major decisions & events

Feb 2, 2026enforcement
DPA criticizes 51 municipalities over Google in schools

Following its reassessment of the Google Chromebook/Workspace setup, Datatilsynet issued serious criticism of 51 municipalities for unlawful processing of pupils' data, showing the years-long schools dispute remains unresolved.

The Copenhagen Post
Jan 30, 2024decision
Chromebook/Google Workspace order extended to all municipalities

Datatilsynet extended its Helsingør ruling to all ~53 municipalities using the same Google Workspace for Education setup, issuing binding orders to fix third-country transfer and controller-control problems.

GDPRhub (Datatilsynet 2023-431-0001)
Jan 12, 2024enforcement
Record DKK 15m fine recommended against Netcompany (mit.dk)

Datatilsynet reported Netcompany to police and recommended its largest-ever fine after a coding flaw in the mit.dk digital-mailbox authentication could let users access others' public-authority mail.

DataGuidance
Sep 21, 2022decision
Datatilsynet declares Google Analytics unlawful

The DPA found Google Analytics non-compliant with GDPR because it transfers personal data to the US without adequate safeguards post-Schrems II, making Denmark the fourth EU state to reach this conclusion.

DataGuidance
Jul 14, 2022decision
Helsingør school Chromebook/Google Workspace ban

In a landmark decision, Datatilsynet banned Helsingør municipality's use of Google Chromebooks and Workspace for Education in primary schools and suspended US data transfers until GDPR-compliant.

TechCrunch
Apr 5, 2022enforcementofficial
DKK 10m fine recommended against Danske Bank

After the bank self-reported it could not document deletion across 400+ systems holding millions of customers' data, Datatilsynet filed a police report proposing a ~EUR 1.3m fine for retention/deletion failures.

EDPB
Mar 18, 2019enforcementofficial
First Danish GDPR fine recommendation: Taxa 4x35

Datatilsynet proposed Denmark's first GDPR fine (DKK 1.2m) against taxi firm Taxa 4x35 for over-retaining customer phone numbers tied to ~9m rides, breaching the data-minimisation principle.

EDPB
May 25, 2018lawofficial
GDPR becomes applicable across the EU

Regulation (EU) 2016/679 (adopted 14 April 2016) took effect, directly applying in Denmark and establishing the core data-protection framework that supersedes the 1995 Directive.

EUR-Lex
May 23, 2018lawofficial
Danish Data Protection Act adopted (Act No. 502)

Denmark enacted the Data Protection Act to supplement the GDPR with national derogations (e.g. on CPR numbers, employment and research) and designated Datatilsynet as supervisory authority.

Datatilsynet
Jul 1, 2000lawofficial
Act on Processing of Personal Data (Persondataloven) enters force

Act No. 429 of 31 May 2000 transposed the EU Data Protection Directive 95/46/EC into Danish law, governing personal-data processing until replaced by the GDPR regime in 2018.

Council of Europe
Jan 1, 1978law
Denmark's first data-protection statutes

The Private Registers Act and the Public Authorities' Registers Act introduced Denmark's first rules on personal-data registers, predating the EU framework and laying the groundwork for later laws.

GDPRhub

Denmark - other topics

Data & Privacy in other countries

Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →