Danish Data Protection Act

The Danish Data Protection Act (Databeskyttelsesloven) is the Danish law that supplements the GDPR with national rules for processing personal data. It covers areas such as CPR numbers, consent age thresholds and criminal data that the GDPR leaves to member states.

Back to Dictionary

What is the Danish Data Protection Act?

The Danish Data Protection Act (Act No. 502 of 23 May 2018) is the Danish law that supplements the GDPR. It entered into force on 25 May 2018, at the same time as the GDPR became applicable, and replaced the former Personal Data Act of 2000.

The GDPR is an EU regulation that applies directly in all member states. However, the regulation allows member states to establish national rules in a number of areas. The Danish Data Protection Act contains these national rules.

As a data controller in Denmark, you must comply with both the GDPR and the Danish Data Protection Act. The two sets of rules are read in conjunction, and the Danish Data Protection Agency supervises compliance with both.

Key provisions

The Danish Data Protection Act contains several important national provisions:

CPR numbers (§ 11): Public authorities may process CPR numbers when objectively justified. Private organisations may process them when required by law, when the data subject has given consent, or when processing is necessary for unambiguous identification.
Consent age threshold (§ 6(2)): Children must be at least 13 years old to give valid consent to information society services. Parental consent is required for children under 13.
Criminal data (§ 8): Processing of data concerning criminal offences and convictions is regulated nationally.
Employment relationships (§ 12): Special rules for processing personal data in the context of employment.
Research and statistics (§§ 10, 14): Rules for processing personal data for scientific and statistical purposes.

The Act also establishes the Danish Data Protection Agency as the independent supervisory authority for data protection in Denmark.

Relationship between the GDPR and the Danish Data Protection Act

The GDPR and the Danish Data Protection Act are not alternatives. You must comply with both. The GDPR contains the overarching principles for processing personal data, including the requirements for a legal basis, data subject rights and data processing agreements.

The Danish Data Protection Act fills the gaps in areas where the GDPR provides flexibility. This includes:

The age threshold for children's consent (the GDPR allows 13–16 years; Denmark chose 13)
Rules for CPR numbers (a Danish speciality with no equivalent in the GDPR)
Exemptions for processing for journalistic, artistic and literary purposes
Sanctions and criminal provisions (§§ 41–42)

In practice, this means you always start with the GDPR and then check whether the Danish Data Protection Act imposes additional requirements.

The Danish Data Protection Act in practice

For most Danish organisations, the Danish Data Protection Act has the greatest practical significance in relation to CPR numbers and employment.

If you process CPR numbers, you must ensure you have a specific legal basis. You cannot simply rely on your GDPR legal basis. CPR numbers require independent authorisation under § 11 of the Danish Data Protection Act.

Your record of processing activities should reflect which processing activities are regulated by the Danish Data Protection Act in addition to the GDPR. This gives you a better overview and makes it easier to demonstrate compliance during inspections.

Your privacy policy must refer to both the GDPR and the Danish Data Protection Act when you process data under the national law. The duty to inform requires you to be specific about the legal basis.

Frequently Asked Questions about Danish Data Protection Act

What is the difference between the Danish Data Protection Act and the GDPR?

The GDPR is an EU regulation that applies directly in all member states. The Danish Data Protection Act is the national law that supplements the GDPR in areas where the regulation allows member states to set national rules, such as consent age thresholds, processing of CPR numbers and criminal data.

When did the Danish Data Protection Act enter into force?

The Danish Data Protection Act entered into force on 25 May 2018, at the same time as the GDPR became applicable. It replaced the former Personal Data Act of 2000.

What does the Danish Data Protection Act say about CPR numbers?

Section 11 contains special rules for processing CPR numbers. Public authorities may process them when objectively justified. Private organisations may process them when required by law, when the data subject has given consent, or when processing is necessary for unambiguous identification.

What is the consent age threshold in Denmark?

In Denmark, the consent age threshold for information society services is 13 years, pursuant to Section 6(2) of the Danish Data Protection Act. Children under 13 require parental consent for services such as social media.