I. Legal framework
The Act on Processing of Personal Data (the Act or PPD) entered into force on 1 July 2000.1 The Act implements the European Union (EU) Data Protection Directive 1995/46/EC into Danish law. It replaces the Private Registers Act of 1978, which governed the private sector,2 and the Public Authorities' Registers Act of 1978, which governed the public sector.3 The law divides personal information into three categories: ordinary, sensitive, and semi-sensitive, and provides different conditions for the processing of each.4 According to Section 2 (2), the Act shall not be applied if doing so is contradictory to the freedom of expression and information as stipulated in Article 10 of the European Convention on Human Rights. An exemption from the Act is provided for the Danish Security Intelligence Service (Politiets Efterretningstjenesteor PET) and the Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste or FE).
According to PPD Section 7 (1) there may be no processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or sex life. Exceptions can be allowed under certain conditions.
Private controllers must in most cases obtain the authorisation of the Danish Data Protection Agency before processing data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or sexual relations, criminal offences, serious social problems, or other purely private matters.
An exemption from the Act is provided in Section 2, subsections 5 and 11, for processing performed on behalf of Folketinget (the Danish Parliament) and its related institutions, the Danish Security Intelligence Service and the Danish Defence Intelligence Service. According to Chapter 17 of the PPD, the Danish Court Administration supervises the processing of data carried out on behalf of Danish courts. According to Section 2, subsection 4, some of the rules in the Act do not apply to the processing of data that is performed on behalf of the courts, the police or the prosecution in the area of criminal law.5
The PPD and the Act on Public Administration were amended by Act No. 503 of 12 June 2009. From 1 July 2009 the PPD, Section 1(3), also regulates the manual transfer of personal data between public authorities. Before this date this processing operation was regulated by Act on Public Administration, Section 28(1-3). Transfer of confidential and non-confidential personal information between public authorities has been somewhat expanded (PPD Section 8(2) No. 3), since the amended PPD now allows for the transfer of sensitive information if it is necessary for case-handling for the receiving authority.6
Rules on data protection are a part of many Danish statutes7 among which there are: the Penal Code,8 the Statute on Financial Institutions,9 the Public Administration Act,10 the Act on the Central Personal Data Register,11 the Act on Social Services,12 the Marketing Act,13 the Act on the DNA Profile Register,14 and the Administration of Justice Act.15 Sectoral laws also provide special protections for medical information,16 information about customers of financial businesses17 and payment services details,18 and lay down restrictions on direct marketing (including spam).19 If they are in accordance with Denmark's international obligations, these sectoral laws take priority over the general Data Protection Act.20
Data protection authority
The Danish Data Protection Agency (Datatilsynet or DPA) enforces the Act. The DPA is an independent public body consisting of a council and a secretariat. The Minister of Justice appoints the members of the council. Section 56 of the PPD states that the DPA shall act with complete independence in executing the functions entrusted to it. Neither the Ministry of Justice nor any other public body has instructive authority over the DPA, but the agency is attached to the Ministry of Justice regarding recruitment of staff and budgetary issues.21 Furthermore, the Minister of Justice appoints the members of the data council.
The DPA supervises registries established by public authorities and private enterprises in Denmark. It ensures that the conditions for registration, disclosure, and storage of data on individuals are complied with. It mainly deals with specific cases based on inquiries from public authorities or private individuals, or cases taken up by the agency on its own initiative. Staff of the DPA is allowed to enter any premise where a file is operated without a court order. Section 58 of the Act on Processing of Personal Data states that the DPA shall see to it that that the processing of personal data is carried out in compliance with the provisions of Act and that any regulations issued are in accordance with the Act. The DPA also has competence to conduct unannounced inspections. Decisions22 made by the DPA are final and may not be appealed to any other administrative body. They may, however, be brought before the courts.
As reported above, private controllers must in most cases obtain the authorisation of the DPA before processing sensitive or semi-sensitive data. The latter are certain kinds of data that are regulated in such a way that they are almost viewed as sensitive. These are data on criminal offences, serious social problems, and other data of a clearly private nature.23
According to the PPD, the DPA is required to give an opinion before any new laws or regulations that have an impact on privacy are issued.24 The DPA has examined the Act on Prohibition of Video Surveillance and assessed whether this type of surveillance complies with the PPD.25
In 2009 the staff of the DPA was around 35 and its budget of the DPA was DKK20.4 million (approximately. â‚¬2,738 million) â€“ governmental funding â€“ plus DKK513,000 (â‚¬68,859) â€“ external funding.26
In 2009, the DPA received 1,468 inquiries and complaints, and the DPA initiated 170 cases of its own accord and carried out 83 inspections. Of the 1,468 inquiries and complaints, 960 concerned private entities, and 508 concerned public bodies. Private entities filed 2,077 notifications of registration of personal information; public bodies filed 375. Of the 4,859 cases in total, other topics of interest are: issues of security (30), legislative preparation (329), and international cases (157).27 The issues of digital surveillance as a crime prevention measure and security in relation to the transfer of personal information on the Internet have been central to many of the inquiries and statements.
The DPA issues opinions every year including in 2005, when it issued an interesting and critical opinion on reporting to the Schengen Information System (SIS).28 The Danish DPA criticised the National Commissioner of Police in Denmark for an unacceptably high number of errors in reporting to the SIS database personal data that had been passed to another EU Member State or to a third country. The SIS database provides access to alerts on individuals, including immigration, on public order or national security grounds. "[A]n investigation by the Danish Data Protection Agency in June 2005 found 68 errors out of a base of 443 Article 96 'alerts'29 on the Schengen Information System (SIS) entered by Denmark."30 According to DPA, 11 people had incorrectly been declared "undesirable" in Denmark. The DPA concluded that Rigspolitiet (the National Commission of the Danish Police) had violated PPD Section 5 (4). The DPA stated that dealing with personal data shall be organised in a manner that allows for necessary updates. In addition, necessary control measures must be initiated to secure that the information is not misleading or wrong. Information which is found to be wrong or misleading must be erased or corrected.31
On 3 April 2009 the DPA sent a list of questions to Facebook.32 The agency questioned Facebook about whether the network is registered in an EU country and how and whether it adheres to Danish legislation on personal data protection.33 On 18 December 2009 the DPA received a reply in which Facebook thanked the DPA for making it aware of the DPA's guidelines following the resolution of the 30th International Conference of Data Protection and Privacy Commissioners and explained some of the improvements made to the privacy settings on Facebook.34
The DPA provides information and views regarding legislative proposals, and has a useful Web site where journalists and others can obtain information on specific issues, cases, and press briefs. In 2009 the DPA focused on TV surveillance and published, in cooperation with other stakeholders, material for school children.35 The aim was to raise awareness among youngsters about the protection of their own and others' personal information.
Major privacy and data protection case law
In 2006 the Eastern High Court of Denmark decided a case concerning a company that had posted on a Web site two individuals' social security numbers for a period of seven days.36 Signing a mortgage contract, which they knew would be registered, could not be regarded as explicit consent to publication of the social security numbers, and was therefore found to be a violation of the PPD Act, Section 11, subsection 3. The defendant company was found to be responsible and was fined DKK3,000 (â‚¬400) according to the PPD, Section 70, subsection 5, No. 1.
The DPA was asked to give an opinion regarding the request of ATP37 to transfer personal data to third countries.38 The DPA was then informed that by the end of 2006, ATP had a total of almost 4.5 million members and approximately 150,000 contributing employers, coming from both the public and private sectors.39 The information processed by ATP included information such as name, address, other contact information, civil registration number, employer, occupation, and education.40 ATP wished to transfer this data about members and contributing employees to data processors in India and South America, for the purposes of the security of supplies.41
The DPA, when asked to comment on this informed ATP of Section 41(4) of the Act on the Processing of Personal Data which states in part that: "As regards data which are processed for the public administration and which are of special interest to foreign powers, measures shall be taken to ensure that they can be disposed of or destroyed in the event of war or similar conditions" The Act therefore prevented ATP from transferring personal data to India and South Africa.42 The DPA stressed that both personal data from the centralised civil register and personal data about citizens' education were covered by Section 41(4) when the Act on the Processing of Personal Data was adopted.43
Other relevant case law concerning privacy and data protection is categorised and discussed under the corresponding section.44
- 1. Lov om behandling af personoplysninger (Act on Processing of Personal Data), Act No. 429 of 31 May 2000, available at http://www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/.
- 2. Lov nr 293 af 8 juni 1978 om private registre mv (Private Registers Act of 1978), in force 1 January 1979.
- 3. Lov nr 294 af 8 juni 1978 om offentlige myndigheders registre (Public Authorities' Registers Act of 1978), in force 1 January 1979.
- 4. Peter Blume et al., Nordic Data Protection 19-20 (DJOEF Publishing Copenhagen 2001).
- 5. Chapter 8 (information given to the data subjects) and Chapter 9 (the data subject's right of access to data) as well as Sections 35-37 (e.g. provisions about the data subject's right to object and the controller's duty to rectify, erase, or block data in some cases) and Section 39 (provision about the data subject's possibility to object against decision which produce legal effects concerning him/her or significantly affecting him/her and which is based solely on automated processing of data intended to evaluate certain personal aspects) do not apply for processing of data, which is performed on behalf of the courts in the area of criminal law. Further, chapter 8 as well as Sections 35-37 and 39 do not apply for processing of data, which is performed on behalf of the police or the prosecution in the area of criminal law.
- 6. See Datatilsynets Ã¥rsberetning 2008 og 2009 (DPA Annual Report 2008 and 2009), at 20-21, available in Danish at http://www.datatilsynet.dk/fileadmin/user_upload/dokumenter/AArsberetnin...
- 7. See Peter Blume, Country Studies: A.2 â€“ Denmark, in Douwe Korff (Ed.), Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments, European Commission DG JFS. May 2010, at 2, available at http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_ch....
- 8. Act No. 1068 of 6 November 2008.
- 9. Act No. 897 of 4 September 2008.
- 10. Lov 2007-12-07 nr. 1365 Forvaltningslov(Act No. 1365 of 7 December 2007).
- 11. Act No. 1134 of 20 November 2006.
- 12. Act No. 58 of 18 January 2007.
- 13. Act No. 1389 of 21 December 2005.
- 14. Act No. 434 of 31 May 2000.
- 15. Act No. 1069 of 6 November 2008.
- 16. Lov 2010-07-13 nr. 913 Sundhedsloven (Act No. 913 on Danish Health of 13 July 2010).
- 17. Lov 2010-09-23 nr. 1125 om finansiel virksomhed (Act No. 1125 on Financial Business of 23 September 2010).
- 18. Lov 2009-05-25 nr. 385 om betalingstjenester (Act No. 385 on Payment Services of 25 May 2009).
- 19. LovbekendtgÃ¸relse 2009-08-31 nr. 839 om markedsfÃ¸ring (Consolidated Act on Marketing Practices No. 839 of 31 August 2009).
- 20. Peter Blume et al., supra.
- 21. The DPA consists of a Counsel and an independent Secretariat who is only answerable to the Counsel. The Counsel, which is set up by the Minister of Justice, is composed of a chairman, who is a legally qualified judge, and of six other members. The Council decides in leading cases. The day-to-day business is attended by the Secretariat, which currently counts around 30 employees including: one director, 19 legal advisors, five IT security consultants and administrative staff. See http://www.datatilsynet.dk/om-datatilsynet/medarbejdere/.
- 22. Information is available at http://www.datatilsynet.dk/afgoerelser/.
- 23. Peter Blume, Country Studies, supra at 3.
- 24. Datatilsynet, at http://www.datatilsynet.dk/ "; English version available at http://www.datatilsynet.dk/english/ .
- 25. Lov om behandling af personoplysninge (Act on Processing of Personal Data), Chapter 6(a), supra.
- 26. See http://www.datatilsynet.dk/fileadmin/user_upload/dokumenter/AArsrapporte....
- 27. Datatilsynets Ã¥rsberetning 2008 og 2009 (DPA Annual Report 2008 and 2009), supra.
- 28. See Journalnummer: 2003-851-0048 "UndersÃ¸gelse af indberetninger i henhold til Schengen-konventionens" ("Examination of Reporting Pursuant to the Schengen Convention"), 10 June 2005, available in Danish at http://www.datatilsynet.dk/index.php?id=325&tx_ttnews%5Btt_news%5D=219&n....
- 29. I.e. blocking third-country nationals from entering Schengen territory.
- 30. Tony Bunyan, "Statewatch Analysis. EU Data Protection in Police and Judicial Cooperation Matters: Rights of Suspects and Defendants under Attack by Law Enforcement Demands," October 2006, http://www.statewatch.org/news/2006/oct/eu-dp.pdf .
- 31. "UndersÃ¸gelse af indberetninger i henhold til Schengen-konventionens" ("Examination of Reporting Pursuant to the Schengen Convention"), supra.
- 32. Letter from Janni Christoffersen, Director, The Danish Data Protection Agency to Chris Kelly, Chief Privacy Officer, Facebook, "Facebook's Processing of Personal Data," 3 April 2009, available athttp://www.datatilsynet.dk/fileadmin/user_upload/dokumenter/Facebook.pdf .
- 33. Id.
- 34. Letter from Chris Kelly, Chief Privacy Officer, Facebook, to Janni Christoffersen, Director, Danish Data Protection Agency, 18 December 2009, available at http://www.datatilsynet.dk/fileadmin/user_upload/dokumenter/Breve/Facebo... .
- 35. See http://www.dubestemmerselv.dk.
- 36. U.2007.334Ã˜, Ã˜stre Landsret (Eastern High Court of Denmark).
- 37. ATP is an independent institution, established by Act No. 46 of 7 March 1964, for the purpose of paying supplementary pensions to wage earners etc.
- 38. 11th Annual Report of the Article 29 Data Protection Working Party (2007), 24 June 2008, Chapter Two, Main Developments in Member States: Denmark, European Commission, at 31-33.
- 39. Id.
- 40. Id.
- 41. Id.
- 42. Id.
- 43. Id.
- 44. Cfr. Section "Data Protection Authority," supra and Sections "Cybercrime," "E-commerce," "International Obligations & International Cooperation," infra in this report.