European Union · updated 2026-06-15
Denmark
Denmark routes GDPR fines through criminal courts, so penalties are rarer but investigations are thorough — Datatilsynet banned Google Workspace in Helsingør schools over transfer risks. Documentation quality is the Danish currency of compliance.
- Law:
- GDPR + Data Protection Act (Databeskyttelsesloven) + Cookie Order
- Regulator:
- Datatilsynet
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher — imposed via criminal courts
What Denmark requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy (privatlivspolitik)
Art. 13–14 GDPRPrivacy notice with concrete retention periods — Danish enforcement history centres on retention promises companies failed to keep.
How to implement Whatever deletion schedule you publish, automate it. Taxa 4x35's fine came from keeping data past its own stated deadline, not from the deadline itself.
Required -
Cookie consent banner
Cookiebekendtgørelsen §3Opt-in consent with prior blocking; Danish guidance requires consent to be as easy to withdraw as to give.
How to implement Standard EU CMP configuration with a Danish-language banner; link a 'withdraw consent' control in the footer.
Required -
Records of processing (ROPA)
Art. 30 GDPRStandard register; Datatilsynet's audit letters ask for it alongside your risk assessments.
How to implement Use Datatilsynet's published templates — Danish supervision is documentation-first, and matching their format speeds up responses.
Required -
Data protection officer
Art. 37 GDPRGDPR-baseline thresholds; notify Datatilsynet of appointments.
How to implement Register via Virk.dk and publish contact details in your privatlivspolitik.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour notification via Virk.dk plus a documented risk assessment per incident.
How to implement Datatilsynet's published decisions show it checks whether your assessment considered all harm types — use its assessment framework as your template.
Required -
Risk-assessed cloud vendor choices
Ch. V GDPR + Schrems IIThe Helsingør/Google Workspace case shows Danish supervision demands documented risk assessments before deploying US cloud services at scale.
How to implement Before adopting a US-based processor for sensitive contexts, write a short DPIA-style assessment: data categories, transfer mechanism, and mitigations.
Recommended
The details
- Cookie consent
- The Danish Cookie Order (Cookiebekendtgørelsen) requires informed opt-in consent for non-essential cookies, supervised by the Agency for Digital Government with Datatilsynet covering the data side. Prior blocking and a real reject option are required.
- Data Protection Officer
- GDPR baseline thresholds; DPO appointments are notified to Datatilsynet electronically.
- Processing agreements
- Art. 28 databehandleraftale required with every processor. Datatilsynet publishes its own standard DPA template, widely used in Danish contracting.
- Breach notification
- Report within 72 hours via Virk.dk's breach form. Datatilsynet publishes detailed breach-handling decisions and expects a written risk assessment for every incident.
- Enforcement in practice
- Datatilsynet recommended a DKK 1.2M fine against taxi company Taxa 4x35 for retaining 9M rides' data past its own deletion deadline; courts later fined furniture chain ILVA DKK 1M.
Data subject rights
What users can demand from you in Denmark, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRCopy of personal data and processing details within one month.
Respond within 30 days; Datatilsynet issues 'serious criticism' decisions (reputationally costly) even where no fine follows.
Right to erasure
Art. 17 GDPRDeletion when data is no longer necessary or consent withdrawn.
Danish bookkeeping law requires 5-year retention of accounting records. Crucially: enforce your own stated deletion deadlines — that's the Danish enforcement pattern.
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data.
JSON/CSV export for consent- and contract-based data.
Right to rectification
Art. 16 GDPRCorrection of inaccurate personal data.
Self-service edits plus a support channel.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze during disputes; absolute objection to direct marketing.
Denmark's Robinson list (CPR-Robinsonlisten) must be checked before direct marketing to consumers.
Automated decision-making
Art. 22 GDPRProtection against solely automated significant decisions.
Disclose logic and provide human review; Danish public-sector algorithm scrutiny is high and spills into vendor requirements.
Tools that cover Denmark
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
cookie consent
Cookiebot
Danish-founded CMP — built around the Danish Cookie Order and EU rules from day one.
Visit Cookiebot → -
privacy policy
iubenda
Danish-language policies with the concrete retention wording Datatilsynet expects.
Visit iubenda → -
dpa template
Termly
DPA templates compatible with Datatilsynet's standard databehandleraftale structure.
Visit Termly →
Frequently asked questions
Why are Danish GDPR fines so rare?
Denmark (like Estonia) has no administrative fining power — Datatilsynet must refer cases to police and courts, so fines take years. Instead it issues public 'criticism' decisions and orders, which hit reputation and can ban processing outright, as in the Google Workspace schools case.
What is the single most Danish compliance mistake?
Publishing a deletion policy and not automating it. Danish decisions repeatedly punish companies for holding data past their own stated deadlines. Set retention jobs in code, not in policy documents.
Can Danish organisations use US cloud services?
Yes, with documented risk assessment — the Helsingør case was about deploying Google Workspace for schoolchildren without adequate assessment, not a blanket ban. Post-DPF, standard SaaS usage with a DPA and transfer mapping is workable.
Where do I report a breach in Denmark?
Through the joint public portal Virk.dk, which routes to Datatilsynet. Keep your written risk assessment — Datatilsynet's follow-up questions focus on how you scored the risk to individuals.
Similar jurisdictions
Free download
Get GDPR updates for Denmark
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.