The Data Protection Regulation and the Data Protection Act, which have been in force since 25 May 2018, provide for a new, significantly increased level of fines that must be effective and deterrent. With the regulation, it is also assumed that the Member States harmonize the sanctions for breaches of the data protection rules.
In Denmark, it is the Data Protection Authority that, as the supervisory authority, controls the compliance of private and public authorities with the data protection rules. As far as the Courts’ processing of personal data is concerned, the task is left to the Danish Courts Agency. The Norwegian Data Protection Authority processes complaints and can, if necessary, initiate investigations on its own initiative.
As part of the enforcement of the data protection rules, the Danish Data Protection Authority has been granted a number of powers. These powers are divided into investigative powers, corrective powers and approval and advisory powers. This article deals exclusively with the first two types of powers.
As far as the investigation of the data processor’s compliance with the data protection rules is concerned, the Data Protection Authority can demand from the data processor any information that is of importance to its business – in other words, the Data Protection Authority can issue orders that the data processor must hand over information. Next, the Danish Data Protection Authority has access, without a court order, to the premises of the data processor, from which processing of personal data is carried out.
If the Norwegian Data Protection Authority concludes that the data processor does not comply with the data protection rules, it is assigned a number of so-called corrective powers, of which warnings, criticism, various orders, prohibitions and fines are the most important. This article deals exclusively with fines for companies.
When the Danish Data Protection Authority has to set a fine, this is generally done based on the considerations set out in the data protection regulation article 83. The fine must thus be effective, proportionate to the violation and have a deterrent effect.
Based on the general principles that follow from the data protection regulation, the Danish Data Protection Authority has issued fine guidelines regarding both fines for natural persons and fines for companies. As far as fines for companies are concerned, it follows from the guidelines for the assessment of fines for companies that the Danish Data Protection Authority first determines the so-called basic amount, which is then adjusted on the basis of a number of elements:
- The Norwegian Data Protection Authority determines the basic amount
- The basic amount is adjusted based on the nature, seriousness and duration of the violation
- Additional aggravating or mitigating circumstances are included
- If the fine now exceeds the data protection regulation’s maximum, it will be adjusted down
- If there are good reasons for this, the fine can be adjusted due to the company’s ability to pay
Since the calculation of the total fine is relatively complex, this article deals only with the general features of the calculation of the basic amount. In the calculation of the basic amount, the nature of the violation and the size of the company are taken into account. The Danish Data Protection Authority has published a number of decisions which can contribute to a more concrete understanding of the level of fines. You can find the published fine cases here.
According to the data protection regulation, companies can be fined a maximum of up to:
- 75 million DKK (static fine ceiling) or 2% of the company’s total global turnover (dynamic fine ceiling), whichever amount is higher. The Danish Data Protection Authority has divided these violations into categories 1-3, where category 3 can result in the largest fine.
- 150 million DKK (static fine ceiling) or up to 4% of the company’s total global turnover (dynamic fine ceiling), whichever amount is higher. The Danish Data Protection Authority has divided these violations into categories 4-6, where category 6 can result in the highest fine.
In addition to the powers to issue fines, the Danish Data Protection Authority is authorized to publish its statements and decisions. In practice, this means that the data processor’s errors can be published on the Danish Data Protection Authority’s website, from which anyone (including journalists) has access to the circumstances of the case and the Danish Data Protection Authority’s position on this.
The data protection rules can seem very confusing to many ordinary people. As stated above, lack of knowledge of the rules can have very large financial consequences as well as consequences for the publicity of your company.
If you are in doubt as to whether your company’s processing of personal data is in accordance with the data protection rules, you can always contact DreistStorgaard Advokater. We are available for any questions you may have. You can contact us on phone 56 63 44 66 or by email email@example.com.