Search
Close
What are you looking for?
Search our articles, guides, and services to find answers to your legal questions.
The Data Protection Regulation and the Data Protection Act, which have been in force since 25 May 2018, provide for a new, significantly increased level of fines that must be effective and deterrent. With the regulation, it is also assumed that the Member States harmonize the sanctions for breaches of the data protection rules.
In Denmark, it is the Data Protection Authority that, as the supervisory authority, controls the compliance of private and public authorities with the data protection rules. As far as the Courts’ processing of personal data is concerned, the task is left to the Danish Courts Agency. The Norwegian Data Protection Authority processes complaints and can, if necessary, initiate investigations on its own initiative.
As part of the enforcement of the data protection rules, the Danish Data Protection Authority has been granted a number of powers. These powers are divided into investigative powers, corrective powers and approval and advisory powers. This article deals exclusively with the first two types of powers.
As far as the investigation of the data processor’s compliance with the data protection rules is concerned, the Data Protection Authority can demand from the data processor any information that is of importance to its business – in other words, the Data Protection Authority can issue orders that the data processor must hand over information. Next, the Danish Data Protection Authority has access, without a court order, to the premises of the data processor, from which processing of personal data is carried out.
If the Norwegian Data Protection Authority concludes that the data processor does not comply with the data protection rules, it is assigned a number of so-called corrective powers, of which warnings, criticism, various orders, prohibitions and fines are the most important. This article deals exclusively with fines for companies.
When the Danish Data Protection Authority has to set a fine, this is generally done based on the considerations set out in the data protection regulation article 83. The fine must thus be effective, proportionate to the violation and have a deterrent effect.
Based on the general principles that follow from the data protection regulation, the Danish Data Protection Authority has issued fine guidelines regarding both fines for natural persons and fines for companies. As far as fines for companies are concerned, it follows from the guidelines for the assessment of fines for companies that the Danish Data Protection Authority first determines the so-called basic amount, which is then adjusted on the basis of a number of elements:
The Norwegian Data Protection Authority determines the basic amount
The basic amount is adjusted based on the nature, seriousness and duration of the violation
Additional aggravating or mitigating circumstances are included
If the fine now exceeds the data protection regulation’s maximum, it will be adjusted down
If there are good reasons for this, the fine can be adjusted due to the company’s ability to pay
Since the calculation of the total fine is relatively complex, this article deals only with the general features of the calculation of the basic amount. In the calculation of the basic amount, the nature of the violation and the size of the company are taken into account. The Danish Data Protection Authority has published a number of decisions which can contribute to a more concrete understanding of the level of fines. You can find the published fine cases here.
According to the data protection regulation, companies can be fined a maximum of up to:
75 million DKK (static fine ceiling) or 2% of the company’s total global turnover (dynamic fine ceiling), whichever amount is higher. The Danish Data Protection Authority has divided these violations into categories 1-3, where category 3 can result in the largest fine.
150 million DKK (static fine ceiling) or up to 4% of the company’s total global turnover (dynamic fine ceiling), whichever amount is higher. The Danish Data Protection Authority has divided these violations into categories 4-6, where category 6 can result in the highest fine.
In addition to the powers to issue fines, the Danish Data Protection Authority is authorized to publish its statements and decisions. In practice, this means that the data processor’s errors can be published on the Danish Data Protection Authority’s website, from which anyone (including journalists) has access to the circumstances of the case and the Danish Data Protection Authority’s position on this.
Concluding remarks
The data protection rules can seem very confusing to many ordinary people. As stated above, lack of knowledge of the rules can have very large financial consequences as well as consequences for the publicity of your company.
If you are in doubt as to whether your company’s processing of personal data is in accordance with the data protection rules, you can always contact DreistStorgaard Advokater. We are available for any questions you may have. You can contact us on phone 56 63 44 66 or by email kontakt@dslaw.dk.
The Data Protection Regulation and the Data Protection Act, which have been in force since 25 May 2018, provide for a new, significantly increased level of fines that must be effective and deterrent. With the regulation, it is also assumed that the Member States harmonize the sanctions for breaches of the data protection rules.
In Denmark, it is the Data Protection Authority that, as the supervisory authority, controls the compliance of private and public authorities with the data protection rules. As far as the Courts’ processing of personal data is concerned, the task is left to the Danish Courts Agency. The Norwegian Data Protection Authority processes complaints and can, if necessary, initiate investigations on its own initiative.
As part of the enforcement of the data protection rules, the Danish Data Protection Authority has been granted a number of powers. These powers are divided into investigative powers, corrective powers and approval and advisory powers. This article deals exclusively with the first two types of powers.
As far as the investigation of the data processor’s compliance with the data protection rules is concerned, the Data Protection Authority can demand from the data processor any information that is of importance to its business – in other words, the Data Protection Authority can issue orders that the data processor must hand over information. Next, the Danish Data Protection Authority has access, without a court order, to the premises of the data processor, from which processing of personal data is carried out.
If the Norwegian Data Protection Authority concludes that the data processor does not comply with the data protection rules, it is assigned a number of so-called corrective powers, of which warnings, criticism, various orders, prohibitions and fines are the most important. This article deals exclusively with fines for companies.
When the Danish Data Protection Authority has to set a fine, this is generally done based on the considerations set out in the data protection regulation article 83. The fine must thus be effective, proportionate to the violation and have a deterrent effect.
Based on the general principles that follow from the data protection regulation, the Danish Data Protection Authority has issued fine guidelines regarding both fines for natural persons and fines for companies. As far as fines for companies are concerned, it follows from the guidelines for the assessment of fines for companies that the Danish Data Protection Authority first determines the so-called basic amount, which is then adjusted on the basis of a number of elements:
The Norwegian Data Protection Authority determines the basic amount
The basic amount is adjusted based on the nature, seriousness and duration of the violation
Additional aggravating or mitigating circumstances are included
If the fine now exceeds the data protection regulation’s maximum, it will be adjusted down
If there are good reasons for this, the fine can be adjusted due to the company’s ability to pay
Since the calculation of the total fine is relatively complex, this article deals only with the general features of the calculation of the basic amount. In the calculation of the basic amount, the nature of the violation and the size of the company are taken into account. The Danish Data Protection Authority has published a number of decisions which can contribute to a more concrete understanding of the level of fines. You can find the published fine cases here.
According to the data protection regulation, companies can be fined a maximum of up to:
75 million DKK (static fine ceiling) or 2% of the company’s total global turnover (dynamic fine ceiling), whichever amount is higher. The Danish Data Protection Authority has divided these violations into categories 1-3, where category 3 can result in the largest fine.
150 million DKK (static fine ceiling) or up to 4% of the company’s total global turnover (dynamic fine ceiling), whichever amount is higher. The Danish Data Protection Authority has divided these violations into categories 4-6, where category 6 can result in the highest fine.
In addition to the powers to issue fines, the Danish Data Protection Authority is authorized to publish its statements and decisions. In practice, this means that the data processor’s errors can be published on the Danish Data Protection Authority’s website, from which anyone (including journalists) has access to the circumstances of the case and the Danish Data Protection Authority’s position on this.
Concluding remarks
The data protection rules can seem very confusing to many ordinary people. As stated above, lack of knowledge of the rules can have very large financial consequences as well as consequences for the publicity of your company.
If you are in doubt as to whether your company’s processing of personal data is in accordance with the data protection rules, you can always contact DreistStorgaard Advokater. We are available for any questions you may have. You can contact us on phone 56 63 44 66 or by email kontakt@dslaw.dk.
Do you need legal advice? We are ready to help.
At DreistStorgaard you will meet experienced specialists with strong professional skills.
Contact us today.
"A really good collaboration from start to finish. Svend-Aage Dreist Hansen and Carina Halby Hansen have been competent, professional, detail-oriented and have guided us safely through first a house sale and subsequently a house purchase."
"We used DreistStorgaard Advokater in connection with the purchase of a summer house. Søren Storgaard and Carina Halby have been super fast and very competent. We felt completely safe. Highly recommended."
"Christine Finderup Vigsted is an excellent professional. I felt comfortable with her handling all documentation and transfer during the sale of my apartment. She was always very helpful and answered all my questions."
Bag Haverne 32, 4600 Køge
Garnisonsvej 2, 4700 Næstved
Skomagergade 15, 3, 4000 Roskilde
Vestre Ringgade 26-28, 1.sal, 8000 Aarhus C
Sports Allé 5B, 1.th., 4300 Holbæk
Poul Bundgaards vej 1E, 2500 København
Energivej 3, 4180 Sorø
