A European subsidiary established in Copenhagen, a SaaS provider serving Danish business customers. A multinational running HR systems that process employee data in Denmark. each faces the same reality: GDPR compliance in Denmark is not a one-time project. It is an ongoing legal obligation with direct enforcement consequences. The Danish data protection authority, Datatilsynet (the Danish Data Protection Agency), operates one of the more active supervisory regimes in the Nordic region. Failures to document processing activities, maintain lawful consent mechanisms, or address cross-border data transfer obligations can trigger investigations, compliance orders, and administrative fines that scale with the severity of the breach.
Data protection compliance in Denmark is governed by the EU General Data Protection Regulation (GDPR) as supplemented by Danish data protection legislation. This adapts certain provisions for national contexts including employment records. Public authority processing, and age thresholds for consent. Every organisation acting as a data controller or data processor in relation to Danish residents must maintain a record of processing activities. Establish a lawful basis for each processing purpose. Additionally, implement technical and organisational security measures proportionate to the risk. Compliance programmes for foreign-owned businesses typically require six to twelve weeks to establish at a foundational level.
This guide walks through the procedural steps, documentary requirements, common errors made by international businesses entering the Danish market, and a decision checklist to match your compliance approach to your specific risk profile.
The Danish data protection regime: what makes it distinct
Denmark applies the GDPR directly as EU law. Danish data protection legislation – the Databeskyttelsesloven (Danish Data Protection Act) – sits alongside the Regulation and fills the gaps that the GDPR expressly leaves to member states. Understanding both layers is essential for any business operating in Denmark.
The Act adjusts several key provisions. It sets the age of digital consent at thirteen, which is lower than the GDPR's default ceiling of sixteen. This affects any business offering online services to younger users. The Act also contains specific provisions for processing in an employment context. Employers handling employee personal data for payroll, performance management, or background checks must satisfy requirements that go beyond the general GDPR conditions. Processing sensitive categories of data – health information, trade union membership, biometric identifiers – attracts additional restrictions under both layers.
Datatilsynet has the authority to issue binding compliance orders, carry out dawn inspections, and recommend administrative fines to Danish courts. Unlike several other EU supervisory authorities, the Danish authority regularly publishes case summaries and inspection outcomes. This means enforcement precedents are visible – and the expectations of Danish supervisors are more precisely calibrated than in jurisdictions where enforcement is less transparent.
For international businesses, a critical point of distinction is jurisdictional reach. The GDPR applies to any organisation established in Denmark. It also applies to organisations established outside the EU/EEA that offer goods or services to individuals in Denmark or monitor the behaviour of individuals in Denmark. A US-based e-commerce platform selling to Danish consumers, or a Canadian analytics company tracking Danish website users, falls within scope even without a physical presence in Denmark.
Practitioners advising on GDPR compliance in Denmark consistently highlight one structural misunderstanding: many foreign businesses treat the Regulation as primarily a technical matter – a checkbox exercise for privacy policies and cookie banners. In practice, the substantive obligations run deeper. They concern the legal architecture of processing relationships, the contractual obligations between data controllers and data processors, and the governance structures that must exist before any data flows across borders.
Step-by-step compliance programme: building the legal foundation
The following sequence reflects the standard methodology applied to international businesses entering or already operating in the Danish market. Each step builds on the previous one. Skipping steps creates gaps that surface later – typically during a supervisory inquiry or a due diligence process ahead of an acquisition or investment round.
Step 1 – Map all processing activities (weeks 1–2)
The starting point is a complete inventory of personal data flows within and across the organisation. This means identifying every category of personal data processed, the purpose for which it is processed, the legal basis relied upon, the retention period applied, and the parties who have access. This inventory becomes the foundation of the Record of Processing Activities (ROPA), which Danish law requires every data controller to maintain.
In practice, data mapping reveals processing activities that management was unaware of – legacy CRM systems, marketing analytics tools, employee monitoring software, or third-party integrations that were activated without a formal assessment. Each of these must be captured, categorised, and assessed against the legal basis requirements. A data controller that cannot demonstrate a lawful basis for each processing activity is exposed to enforcement action from the first supervisory contact.
Step 2 – Assign and document the legal basis for each processing purpose (weeks 2–3)
The GDPR provides six possible legal bases for processing personal data. In a business context, the three most commonly applied in Denmark are: legitimate interests of the data controller, performance of a contract with the data subject, and compliance with a legal obligation. Consent is a fourth basis, but it is often misused by foreign businesses as a catch-all. In Denmark, consent must be freely given, specific, informed, and unambiguous. It cannot be bundled with terms of service. And it must be as easy to withdraw as to give.
For each processing activity identified in Step 1, the legal basis must be determined and documented. Where legitimate interests is relied upon, a balancing test must be conducted and recorded. This is not a formality. If challenged – either by a data subject exercising their rights or by Datatilsynet – the organisation must be able to produce the reasoning.
Step 3 – Audit data processor relationships and execute data processing agreements (weeks 3–5)
Any third party that processes personal data on behalf of your organisation is a data processor. Cloud hosting providers, payroll bureaux, HR software vendors, marketing automation platforms, customer support tools – all of these relationships require a written data processing agreement (DPA) that meets the specific requirements of data protection legislation. The agreement must define the subject matter, duration, nature, and purpose of the processing. It must specify the categories of personal data and the obligations and rights of the data controller.
Many international businesses entering Denmark discover that their existing vendor contracts – negotiated under US or UK law – do not satisfy the requirements of Danish and EU data protection law. Remediation requires either renegotiating the relevant clauses or executing supplementary data processing agreements. This step is frequently the most time-consuming part of a compliance programme, particularly for businesses with large vendor ecosystems.
For guidance on how data protection legal services in Denmark can assist with structuring and auditing these agreements, our practice page provides a detailed overview of the support available to international clients.
Step 4 – Assess cross-border data transfer obligations (weeks 4–6)
Any transfer of personal data from Denmark to a country outside the European Economic Area requires a transfer mechanism that satisfies the requirements of data protection legislation. The available mechanisms include adequacy decisions, standard contractual clauses, binding corporate rules, and certain derogations for specific situations.
The transfer assessment process involves three sub-steps. First, identify every transfer – including onward transfers through third-party processors. Second, confirm whether the destination country benefits from an adequacy decision. Third, where no adequacy decision applies, implement the appropriate transfer mechanism and conduct a Transfer Impact Assessment (TIA) to verify that the mechanism provides effective protection in the destination country.
This step catches many foreign businesses off guard. A business headquartered in the United States that transfers Danish employee data to its US parent – even for internal HR purposes – must implement standard contractual clauses and document a TIA. The same applies to transfers to subsidiaries in countries that do not benefit from EU adequacy recognition.
Step 5 – Determine whether a Data Protection Officer is required (weeks 1–2, in parallel)
Danish data protection legislation implements the GDPR's mandatory DPO requirement without modification. A DPO must be appointed if the organisation is a public authority, if it carries out large-scale systematic monitoring of individuals, or if it processes special categories of personal data on a large scale. The DPO must be independent, have expert knowledge of data protection law, and be accessible to data subjects and Datatilsynet.
For many mid-sized international businesses, the DPO requirement is borderline. The threshold concept of "large scale" is not defined numerically in the legislation. Danish supervisory guidance and European Data Protection Board guidance suggest that processing the personal data of a significant portion of a regional population – or processing data across multiple EU member states – qualifies. Businesses that are uncertain should document their analysis and revisit it annually.
Step 6 – Implement Data Protection Impact Assessments for high-risk processing (ongoing)
A Data Protection Impact Assessment (DPIA) is mandatory before commencing any processing that is likely to result in a high risk to the rights and freedoms of individuals. Datatilsynet has published a list of processing types that always require a DPIA in Denmark. These include systematic profiling, large-scale processing of sensitive data, use of new technologies, and processing involving vulnerable groups such as employees or minors.
The DPIA process requires the organisation to describe the processing, assess necessity and proportionality, identify and evaluate risks to data subjects, and determine measures to address those risks. If the DPIA concludes that the residual risk remains high after mitigation measures are applied, the organisation must consult Datatilsynet before commencing the processing.
Businesses deploying AI-driven tools that process personal data face particular scrutiny at this step. For the intersection of AI systems and data protection obligations in Denmark, our analysis of AI law in Denmark provides further context on how these two regulatory regimes interact.
Step 7 – Build breach response procedures and data subject rights workflows (weeks 5–8)
The GDPR imposes a 72-hour notification deadline for personal data breaches that pose a risk to individuals. The notification must be made to Datatilsynet. If the breach poses a high risk to the affected individuals, those individuals must also be notified without undue delay.
Breach response readiness requires documented internal procedures: who identifies and escalates a breach, who assesses risk severity, who drafts and submits the notification, and who manages communication with data subjects. Businesses that have not built this infrastructure before a breach occurs will struggle to meet the 72-hour window – and late or incomplete notifications are themselves a basis for supervisory action.
Data subject rights – access, rectification, erasure, restriction, portability, and objection – must be honoured within one month of a request. This requires clear internal routing procedures and the technical ability to locate, extract, and in some cases delete personal data from all systems where it is held. Many businesses discover during compliance reviews that their systems cannot practically fulfil an erasure request without manual intervention across multiple platforms.
To receive a tailored assessment of your organisation's data protection exposure in Denmark, contact us at info@ferrazwhitmore.com.
Common errors by foreign businesses – and their consequences
Foreign clients entering the Danish market make a recognisable set of errors. Understanding them in advance reduces the cost and disruption of remediation.
Treating consent as the default legal basis. Many non-European businesses assume that obtaining consent covers all processing activities. In Denmark, this approach creates fragility. If the consent is later found to be invalid – because it was not freely given, or because it was bundled with other conditions – the entire legal basis for the processing collapses. Processing that could legitimately rest on a more stable basis, such as contractual necessity or legitimate interests, is more durable. Businesses that over-rely on consent face the prospect of having to re-establish a lawful basis retroactively, which is procedurally complex and potentially triggers breach notifications.
Failing to execute data processing agreements with all processors. A cloud storage provider, a marketing automation tool, an outsourced payroll bureau – each of these is a data processor. The obligation to execute a written DPA is absolute. Businesses that operate without these agreements are in breach of data protection legislation regardless of the technical security of their systems. In an acquisition context, the absence of DPAs is a material due diligence finding that can affect deal valuation or require remediation as a condition of closing.
Assuming that GDPR compliance in one EU jurisdiction equals compliance in Denmark. This is a frequent error. The Danish Data Protection Act introduces national variations that do not exist in every member state. The lower age threshold for consent, the employment-specific provisions, and the detailed Datatilsynet guidance on specific processing types all create Denmark-specific requirements. A compliance programme built for Germany or France must be reviewed and adapted for the Danish context.
Neglecting the Transfer Impact Assessment for internal data flows. Businesses that send data from their Danish entity to a non-EEA parent or group company for consolidated reporting. HR management. Alternatively, IT support often do not recognise these internal flows as international data transfers requiring a transfer mechanism. Datatilsynet has addressed this in published guidance and in enforcement actions. The transfer mechanism must exist before the first data flow, not after an inquiry has been initiated.
Under-resourcing the data subject rights function. Data subject access requests (DSARs) are increasingly used by individuals, consumer advocacy groups, and in some cases competitors. A business that cannot respond within the statutory period – or that produces inaccurate or incomplete responses – exposes itself to complaints to Datatilsynet, which has the authority to investigate and order compliance. The cost of handling a single contested DSAR without proper infrastructure often exceeds the cost of building the infrastructure in the first place.
Self-assessment checklist: which compliance pathway fits your situation
Before initiating a compliance programme in Denmark, the following questions help calibrate the scope and urgency of the work required.
Threshold question: does your organisation fall within scope? Your organisation is in scope if it is established in Denmark. Alternatively. If it is established elsewhere and offers goods or services to individuals in Denmark. Alternatively, monitors the behaviour of individuals in Denmark. If in doubt, assume you are in scope and seek a legal assessment.
Pathway A – New market entrant with no existing processing: This approach applies if your organisation is entering Denmark for the first time and has not yet commenced processing activities. Steps 1 through 7 above apply in sequence. The priority is to build the compliance architecture before processing begins. Retroactive compliance is significantly more costly and complex than building correctly from the outset.
Pathway B – Existing operations with legacy compliance gaps: This applies if your organisation already operates in Denmark but has not maintained a current ROPA. Has outdated or missing DPAs. Alternatively, has not conducted a transfer assessment. The priority is a gap analysis against current requirements, followed by a remediation plan with defined timelines. Supervisory inspections in Denmark are not always preceded by a complaint – Datatilsynet conducts sector-wide and thematic audits. Organisations in sectors such as fintech, healthcare adjacent services, and HR technology are subject to heightened scrutiny.
Pathway C – High-risk processing operations: This applies if your organisation processes special categories of personal data on a meaningful scale. Conducts automated decision-making with legal or similarly significant effects. Alternatively, uses profiling, biometric data, or location tracking. DPIA obligations are engaged from the outset. A DPO appointment is likely mandatory. The compliance programme must be built around these high-risk activities first, with standard processing activities addressed in parallel.
Pathway D – Cross-border group operations: This applies to multinational groups with a Danish entity that shares data with non-EEA group members. Transfer mechanisms must be in place for each transfer relationship. If the group processes data across multiple EU jurisdictions, the question of lead supervisory authority – and whether Datatilsynet acts as lead or as a concerned authority – must be determined. This affects where complaints are filed and how pan-European enforcement proceedings are coordinated.
Verify the following before initiating any processing in Denmark:
- A complete ROPA covering all processing activities is drafted and signed off by a responsible owner within the organisation.
- A lawful basis has been determined and documented for each processing purpose, with balancing tests completed where legitimate interests is relied upon.
- Written DPAs are in place with every third-party data processor.
- Transfer mechanisms are implemented for every transfer of personal data to non-EEA countries, including internal group transfers.
- A DPO has been appointed where required, with the appointment registered with Datatilsynet.
- DPIAs have been completed for all high-risk processing activities.
- Breach response procedures are documented and tested, with designated individuals responsible for the 72-hour notification obligation.
- Data subject rights workflows are operational and capable of producing accurate responses within the statutory period.
For a preliminary review of your organisation's data protection compliance position in Denmark, email info@ferrazwhitmore.com.
Frequently asked questions
Q: How long does it take to achieve GDPR compliance in Denmark for a foreign-owned business?
A: For a straightforward business with limited data processing activities, a baseline compliance programme can be established in six to ten weeks. More complex organisations – those handling sensitive categories of personal data, running automated decision-making, or transferring data outside the EEA – should plan for three to six months. The timeline depends heavily on the volume of existing data flows and whether legacy systems require remediation.
Q: Does a foreign company processing Danish residents' data need to appoint a local representative?
A: A common misconception is that any foreign company touching Danish personal data must appoint a Danish representative. In practice, the obligation applies to controllers and processors established outside the EU/EEA who offer goods or services to individuals in Denmark, or who monitor behaviour in Denmark. If your company is already established within the EU/EEA, a separate Danish representative is generally not required. though a designated data protection officer may still be mandatory depending on the scale and nature of processing.
Q: What are the cost expectations for building a data protection compliance programme in Denmark?
A: Costs vary considerably by business size and complexity. Legal advisory and documentation for a small or medium-sized business typically starts in the low thousands of euros for a foundational compliance review. With more comprehensive programmes. including DPIAs, consent mechanism audits. Additionally, data transfer assessments. running to the mid tens of thousands. Ongoing compliance maintenance, including annual reviews and breach response readiness, should be budgeted as a recurring cost. Engaging a law firm in Denmark with cross-border experience helps calibrate the scope to actual risk exposure rather than over-engineering the solution. You can also review comparable approaches in our guide to data protection compliance in Portugal to see how the methodology transfers across EU jurisdictions.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international businesses, technology companies, and institutional investors in building and maintaining GDPR-compliant operations across European markets, including Denmark. Our team combines Portuguese civil law expertise with English common law tradition, giving us a practical perspective on how data protection obligations interact with cross-border commercial structures. We work with data controllers and data processors of all sizes – from market entrants establishing their first compliance programme to multinational groups remediating legacy gaps ahead of a transaction. The firm's data protection practice includes practitioners with experience before the Danish Data Protection Agency and other EU supervisory authorities, and participates in cross-border practice groups focused on privacy and technology regulation. As an international law firm in Denmark and across the Nordic region, we help clients match compliance investment to genuine risk exposure. To discuss your data protection requirements in Denmark, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.