Danish Data Protection Agency

The Danish Data Protection Agency (Datatilsynet) is Denmark's independent supervisory authority for data protection. It supervises compliance with the GDPR and the Danish Data Protection Act, handles complaints, advises on data protection and can issue orders and recommend fines.

Back to Dictionary

What is the Danish Data Protection Agency?

The Danish Data Protection Agency is the supervisory authority for data protection in Denmark. As an independent public body, it supervises compliance by all organisations in Denmark with the GDPR and the Danish Data Protection Act.

Each EU country has its own supervisory authority pursuant to GDPR Article 51. In Denmark, the Danish Data Protection Agency fills this role. It cooperates with other EU supervisory authorities through the European Data Protection Board (EDPB).

The Agency's tasks include:

Supervision of data controllers and data processors
Handling complaints from data subjects
Guidance and advice on data protection
Receiving notifications of data breaches
Prior consultation on data protection impact assessments with high residual risk

Powers of the Agency

The Danish Data Protection Agency has extensive powers to enforce data protection rules:

Investigative powers: It can require access to all relevant information, conduct supervisory visits and review certificates and attestations.
Corrective powers: It can issue warnings, orders to bring processing into compliance, orders to inform data subjects and prohibitions on processing.
Fine recommendations: In Denmark, the Agency cannot itself impose fines. It recommends to the police that a fine case be brought. The courts determine the amount.

The GDPR provides for fines of up to EUR 20 million or 4% of global annual turnover for the most serious infringements.

How an inspection works

The Agency conducts inspections either on a planned basis or reactively on the basis of complaints or notifications. A typical inspection process:

Notification: You typically receive advance notice of a planned inspection with a list of documentation they wish to see.
Document review: The Agency reviews your record of processing activities, data processing agreements, privacy policy and other documentation.
Questions and inspection: They may ask questions about your procedures and carry out physical or digital inspection.
Decision: The Agency issues a decision that may contain orders, recommendations or findings of infringement.

Your DPO is typically the contact point for inspections. Ensure your documentation is up to date so you can respond quickly.

When must you contact the Agency?

You must contact the Danish Data Protection Agency in the following situations:

Data breaches: Within 72 hours of becoming aware of a breach that poses a risk to data subjects.
Prior consultation: When a data protection impact assessment reveals high residual risk that you cannot sufficiently reduce.
Appointment of DPO: You must notify the Agency of the contact details of your DPO.

You may also contact the Agency for general guidance, but it cannot provide specific legal advice about your particular situation.

Frequently Asked Questions about Danish Data Protection Agency

What is the role of the Danish Data Protection Agency?

The Danish Data Protection Agency is Denmark's independent supervisory authority for data protection. It supervises compliance with the GDPR and the Danish Data Protection Act, handles complaints from citizens, advises on data protection and can issue orders and recommend fines.

Can the Danish Data Protection Agency impose fines?

The Agency cannot itself impose fines. It can recommend to the police that a fine case be brought. The courts make the final decision on the amount. The Agency can, however, issue orders, prohibitions and warnings.

When must you contact the Danish Data Protection Agency?

You must notify the Agency of data breaches within 72 hours if the breach poses a risk to data subjects. You may also contact them for prior consultation on high-risk DPIAs, or for general guidance on data protection.

How does an inspection from the Agency work?

The Agency conducts inspections either on a planned basis or following complaints. It may request documentation, ask questions and carry out inspections. You are obliged to cooperate, and your DPO is typically the contact point.