Skip to main content
Uncategorized

GDPR in Denmark vs. the EU

By November 25, 2025December 2nd, 2025No Comments

GDPR in Denmark vs. the EU GDPR – here’s how it works

In a nutshell: The EU GDPR is the basic rules that apply equally throughout the EU/EEA. In Denmark they are supplemented by Data Protection Act which clarifies and fills in certain areas – e.g. the use of CPR numbers and the processing of information about criminal offenses.

What are the “EU parts” – what always applies?

The common EU set: definitions (personal data, controller/processor), principles (lawfulness, transparency, data minimization, etc.), the six bases of processing, data subject rights, security requirements, data breaches, etc.

  • Personal data: any info that can be linked to a person (name, email, IP, position, salary information, etc.).
  • Processing: all actions with data (collection, storage, use, sharing, deletion).: all actions with data (collection, storage, use, sharing, deletion).
  • Data Controller / Data Processor: the one who determines the purposes and means vs. the one who processes for the controller.
  • Consent: voluntary, specific, informed and unambiguous yes.

The principles (the backbone of GDPR)

Treatment must follow seven basic principles: legality, fairness and transparency, purpose limitation, data minimization, correctness, storage limitation, Integrity and confidentiality, and accountability (You must be able to prove compliance).

Six lawful bases for processing (why are you allowed to process?)

  1. Consent (a) – the data subject gives consent for a clear purpose.
  1. Contract (b) – necessary to fulfill/enter into an agreement (e.g. delivery).
  1. Legal obligation (c) – required by law (e.g. accounting rules).
  1. Vital interests (d) – to protect life/health.
  1. Community task/public authority (e).
  1. Legitimate interests (f) – your legitimate purposes outweigh the interests of the data subject (requires balancing of interests).

Rights of the data subject (what people can ask for)

  • Insight (Art. 15)“Show me what information you have about me.”
    Example: “Send me a copy of my data from your customer system.”
  • Rectification (Art. 16)“Correct what is incorrect or incomplete.”
    Example: “My address has changed – please correct it in your system.”
  • Erasure (Article 17)“Delete my data when you no longer have a good reason to keep it.”
    Example: “Delete my old support account.” (Subject to retention required by law.)
  • Restriction of processing (Article 18)“Pause my data.”
    Example: “Don’t use my data until you have checked that it is correct.”
  • Data portability (Article 20)“Give me my data in a common file format so I can take it somewhere else.”
    Example: “Send my training data as a file so I can upload it to another service.”
  • Objection (Art. 21)“Stop a specific use of my data.”
    Example: “Stop sending me direct marketing.”
  • Automated decisions/profiling (Art. 22) “If a decision is only made by an algorithm, I want a human to look at it.”
    Example: “You automatically rejected my application – get a human to review it.”

Security requirements (appropriate protection, risk-based)

You must have appropriate technical and organizational measures: e.g. pseudonymization/encryption, accessibility and robustness, recoverability and continuous testing/monitoring. The requirement is risk-based and must fit the purpose, scope and risk.

Data breaches (when and who should be notified?)

  • Supervision must generally be notified without undue delay and no later than 72 hours after you become aware of the breach (with reasons if later).
  • The data subjects must be informed without undue delaywhen the breach is likely to result in high risk to their rights/freedoms.
  • You must document all breaches (facts, impact, actions).

“Privacy by design & by default”

Build in data protection from the start and by default: limit data, access and views to what’s necessary; choose solutions and settings that automatically protect privacy.

Accountability and records (the proof that you’re doing the right thing)

You must be able to demonstrate compliance (accountability), e.g. through records of treatment activities (who, what, why, how long, security, transfers). This is a core obligation for both controllers and processors. eur-lex.europa.eu+1

In short: The common EU set is the definitions, principles, six legal bases, rights, security/privacy by design, breach management, accountability and records. It is the the framework that all member states must follow-On top of this, there may be narrow national special rules (e.g. CPR in Denmark), but the baseline is the same throughout the EU/EEA.

Where can Denmark make its own rules?

The EU gives countries leeway on a few points. The most important things in Danish everyday life are national identifiers: GDPR’s Article 87 states that Member States may lay down specific conditions for the processing of e.g. national ID numbers – in Denmark: CPR number.

In practice, this means that processing of CPR numbers is separately regulated in Section 11 ofthe Danish Data Protection Act and that public and private actors may only use the CPR when the conditions are met. The Danish Data Protection Agency specifically emphasizes that the CPR is subject to special rules. datatilsynet.dk+1

In addition, there are Danish special rules and practices in selected areas – for example television surveillance – where national rules and the Danish Data Protection Agency’s guidelines supplement GDPR (e.g. on definition, signage and deletion).

Who decides what – in Denmark and at EU level?

  • Danish Data Protection Agency (DK) Supervises in Denmark and publishes guidelines, decisions and practices.
  • EDPB(European Data Protection Board) gathers and coordinates interpretation across countries. For cross-border processing use one-stop-shop: en lead supervisory authority (LSA) leads the case, in collaboration with the supervisors involved.

The consequence for Danish companies: If you have cross-border processing, you can have one primary authority (often the Danish Data Protection Agency if the decisions are made and can be implemented in Denmark), but local rules and language requirements in other countries still apply for information to data subjects and special areas.

What does this mean in practice for you in Denmark?

  • Bridge GDPR as a common baseline – but check Danish special rules where they exist (typically CPR, criminal offenses, surveillance).
  • Make sure that privacy texts and consents are in understandable Danishwhen the target audience is in Denmark.
  • When involving suppliers, you must DPAs (data processing agreements) must comply with both GDPR and Danish requirements/practices.
  • In the case of cross-border flows: document main establishment and decision point to clarify LSA – and expect dialog with multiple supervisors if processing affects multiple countries.

Next steps

Grapes GDPR Course (approx. 30 min., Danish/English) gives the entire organization a common, documentable level.

SEE MORE about GDPR