Skip to content
GDPR by Law

European Union · updated 2026-06-15

Denmark

Conditional

Denmark routes GDPR fines through criminal courts, so penalties are rarer but investigations are thorough — Datatilsynet banned Google Workspace in Helsingør schools over transfer risks. Documentation quality is the Danish currency of compliance.

Law:
GDPR + Data Protection Act (Databeskyttelsesloven) + Cookie Order
Regulator:
Datatilsynet

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher — imposed via criminal courts

What Denmark requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy (privatlivspolitik)

    Art. 13–14 GDPR

    Privacy notice with concrete retention periods — Danish enforcement history centres on retention promises companies failed to keep.

    How to implement Whatever deletion schedule you publish, automate it. Taxa 4x35's fine came from keeping data past its own stated deadline, not from the deadline itself.

    Required
  2. Cookie consent banner

    Cookiebekendtgørelsen §3

    Opt-in consent with prior blocking; Danish guidance requires consent to be as easy to withdraw as to give.

    How to implement Standard EU CMP configuration with a Danish-language banner; link a 'withdraw consent' control in the footer.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Standard register; Datatilsynet's audit letters ask for it alongside your risk assessments.

    How to implement Use Datatilsynet's published templates — Danish supervision is documentation-first, and matching their format speeds up responses.

    Required
  4. Data protection officer

    Art. 37 GDPR

    GDPR-baseline thresholds; notify Datatilsynet of appointments.

    How to implement Register via Virk.dk and publish contact details in your privatlivspolitik.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour notification via Virk.dk plus a documented risk assessment per incident.

    How to implement Datatilsynet's published decisions show it checks whether your assessment considered all harm types — use its assessment framework as your template.

    Required
  6. Risk-assessed cloud vendor choices

    Ch. V GDPR + Schrems II

    The Helsingør/Google Workspace case shows Danish supervision demands documented risk assessments before deploying US cloud services at scale.

    How to implement Before adopting a US-based processor for sensitive contexts, write a short DPIA-style assessment: data categories, transfer mechanism, and mitigations.

    Recommended

The details

Cookie consent
The Danish Cookie Order (Cookiebekendtgørelsen) requires informed opt-in consent for non-essential cookies, supervised by the Agency for Digital Government with Datatilsynet covering the data side. Prior blocking and a real reject option are required.
Data Protection Officer
GDPR baseline thresholds; DPO appointments are notified to Datatilsynet electronically.
Processing agreements
Art. 28 databehandleraftale required with every processor. Datatilsynet publishes its own standard DPA template, widely used in Danish contracting.
Breach notification
Report within 72 hours via Virk.dk's breach form. Datatilsynet publishes detailed breach-handling decisions and expects a written risk assessment for every incident.
Enforcement in practice
Datatilsynet recommended a DKK 1.2M fine against taxi company Taxa 4x35 for retaining 9M rides' data past its own deletion deadline; courts later fined furniture chain ILVA DKK 1M.

Data subject rights

What users can demand from you in Denmark, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data and processing details within one month.

Respond within 30 days; Datatilsynet issues 'serious criticism' decisions (reputationally costly) even where no fine follows.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Danish bookkeeping law requires 5-year retention of accounting records. Crucially: enforce your own stated deletion deadlines — that's the Danish enforcement pattern.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export for consent- and contract-based data.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service edits plus a support channel.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Denmark's Robinson list (CPR-Robinsonlisten) must be checked before direct marketing to consumers.

Automated decision-making

Art. 22 GDPR

Protection against solely automated significant decisions.

Disclose logic and provide human review; Danish public-sector algorithm scrutiny is high and spills into vendor requirements.

Tools that cover Denmark

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • cookie consent

    Cookiebot

    Danish-founded CMP — built around the Danish Cookie Order and EU rules from day one.

    Visit Cookiebot →
  • privacy policy

    iubenda

    Danish-language policies with the concrete retention wording Datatilsynet expects.

    Visit iubenda →
  • dpa template

    Termly

    DPA templates compatible with Datatilsynet's standard databehandleraftale structure.

    Visit Termly →

Frequently asked questions

Why are Danish GDPR fines so rare?

Denmark (like Estonia) has no administrative fining power — Datatilsynet must refer cases to police and courts, so fines take years. Instead it issues public 'criticism' decisions and orders, which hit reputation and can ban processing outright, as in the Google Workspace schools case.

What is the single most Danish compliance mistake?

Publishing a deletion policy and not automating it. Danish decisions repeatedly punish companies for holding data past their own stated deadlines. Set retention jobs in code, not in policy documents.

Can Danish organisations use US cloud services?

Yes, with documented risk assessment — the Helsingør case was about deploying Google Workspace for schoolchildren without adequate assessment, not a blanket ban. Post-DPF, standard SaaS usage with a DPA and transfer mapping is workable.

Where do I report a breach in Denmark?

Through the joint public portal Virk.dk, which routes to Datatilsynet. Keep your written risk assessment — Datatilsynet's follow-up questions focus on how you scored the risk to individuals.

Similar jurisdictions

Free download

Get GDPR updates for Denmark

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.