Denmark's data protection authority, Datatilsynet (the Danish Data Protection Agency, or DPA), has entered a markedly more assertive enforcement phase. Organisations that have treated GDPR compliance as a background administrative task are now discovering that Danish regulators issue binding orders, substantial fines, and public reprimands with increasing regularity. International companies processing personal data of Danish residents face real exposure if their consent mechanisms, data transfer arrangements, and controller-processor contracts have not been reviewed recently.
Denmark's DPA has materially intensified enforcement of data protection legislation across all sectors, with particular focus on unlawful data transfers, deficient consent mechanisms, and inadequate data processor agreements. Organisations acting as a data controller or data processor in relation to Danish residents are directly in scope. Businesses should treat an immediate compliance audit as a priority, given that investigation timelines are short and remediation orders carry strict deadlines.
This alert sets out what has changed, which business categories are most exposed, and the concrete steps international companies must take now.
What has changed and the enforcement context
Denmark's DPA has published a series of enforcement decisions and sector-specific guidance over the past twelve months. Several themes run through its recent actions.
First, the DPA has concentrated on cross-border data transfers to third countries outside the European Economic Area. Where standard contractual clauses are used without a prior transfer impact assessment, the authority has found violations of data protection legislation and imposed corrective orders. Companies relying on legacy transfer mechanisms that predate the current standard clauses are particularly exposed.
Second, the DPA has scrutinised consent mechanisms on websites and apps serving Danish users. Cookie banners that make rejection more difficult than acceptance, pre-ticked boxes, and bundled consent have all attracted findings of non-compliance. The authority's position aligns with the broader European Data Protection Board guidance, but Danish enforcement has been distinctly hands-on.
Third, the DPA has examined contracts between data controllers and data processors. Where processor agreements lack mandatory clauses required under data protection legislation – including sub-processor controls and security obligations – the authority has issued formal reprimands and binding remediation orders. In several cases, these orders carried compliance deadlines of 30 to 60 days.
For international companies operating Danish subsidiaries or targeting Danish consumers online, these enforcement actions are a direct signal. Non-compliance is no longer a theoretical risk.
Companies with questions about data protection compliance in Denmark can obtain a structured assessment tailored to their operational profile.
To receive an expert assessment of your GDPR exposure in Denmark, contact us at info@ferrazwhitmore.com.
Who is affected and which thresholds apply
The DPA's recent enforcement activity cuts across several business categories. The following types of organisation face the most immediate risk.
- E-commerce and digital platforms targeting Danish consumers, particularly those using third-party analytics, advertising networks, or behavioural tracking tools.
- Technology and SaaS companies acting as data processors for Danish clients, where processor agreements were drafted before current legislative requirements were clarified.
- Financial services and fintech companies transferring customer data to group entities or service providers outside the EEA.
- Healthcare and HR technology providers handling special-category personal data, where consent and legitimate interest bases require careful documentation.
There is no de minimis threshold under data protection legislation. A small business processing a modest volume of Danish user data is as legally exposed as a large enterprise if its consent mechanism or data transfer arrangements are deficient. The DPA has demonstrated a willingness to act against organisations of all sizes.
Companies using AI-driven data processing tools should also note that the DPA has signalled interest in algorithmic profiling and automated decision-making. Organisations deploying such tools should review their obligations under both data protection legislation and emerging AI regulation. Our analysis of AI and technology law in Denmark provides further detail on these intersecting obligations.
Compliance deadlines in DPA remediation orders have ranged from 30 days for urgent corrective actions to 90 days for structural programme changes. Where no prior order exists, organisations should treat the next 60 days as the practical window for completing a gap analysis and implementing priority fixes.
Immediate actions for international companies
The following steps address the specific risk areas identified in the DPA's recent enforcement decisions. They should be treated as a sequenced action plan, not a general checklist.
1. Audit all data transfers to third countries. Map every flow of personal data leaving the EEA. Verify that current standard contractual clauses are in place – not legacy versions – and that a transfer impact assessment has been conducted for each destination country. Where gaps exist, suspend or restrict the transfer until compliant arrangements are documented.
2. Review and remediate consent mechanisms. Test every consent banner, cookie layer, and opt-in form used on Danish-facing digital properties. Ensure that declining consent requires no more steps than accepting it. Remove pre-ticked boxes. Ensure that consent is specific, granular, and freely given. Document the consent mechanism design and the legal basis for each processing activity.
3. Update data processor agreements. Review every agreement with external vendors who process personal data on your behalf. Confirm that each agreement contains the mandatory clauses required under data protection legislation, including sub-processor authorisation, security obligations, audit rights, and data deletion provisions. Engage vendors who resist updating their agreements.
4. Verify records of processing activities. Confirm that your records are current, accurate, and accessible to the DPA on request. Outdated or incomplete records are themselves a compliance failure and signal to investigators that broader gaps may exist.
5. Designate or confirm a data protection contact point. If your organisation is required to appoint a data protection officer under data protection legislation, verify that the appointment is current and properly registered. If no appointment is required, designate an internal contact point responsible for engaging with the DPA if an investigation is opened.
For a tailored strategy on GDPR compliance and data transfer remediation in Denmark, reach out to info@ferrazwhitmore.com.
Organisations with questions about related enforcement developments may also find our alert on data protection enforcement in Portugal useful for cross-border programme design.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international companies in building and maintaining GDPR compliance programmes across European markets, including Denmark. Engaging a lawyer in Denmark or any EU jurisdiction with cross-border data protection experience is critical when regulatory enforcement intensifies. As an international law firm advising on data protection matters across Europe, we help organisations assess their exposure as a data controller or data processor. Remediate deficient consent mechanisms and data transfer arrangements, and respond to DPA investigations. Our team combines Portuguese civil law expertise with English common law tradition, supporting in-house legal teams and international businesses operating across multiple legal systems. To discuss your data protection situation in Denmark, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.