How long does it take the Datatilsynet to resolve a complaint or investigation?

The duration depends on the complexity of the matter and whether enforcement proceedings are initiated. Straightforward complaint cases may conclude within several months. Investigations involving potential fines or criminal referrals can extend over one to two years. Organisations that cooperate promptly and provide complete documentation typically experience shorter resolution timelines. Engaging a lawyer in Denmark with supervisory authority experience at the outset materially affects how the process unfolds.

Does a company based outside Denmark need to appoint a local representative?

A common misconception is that the obligation to appoint an EU representative only applies to businesses with no establishment anywhere in the EU. In fact, any organisation that processes personal data of individuals in Denmark without an establishment in any EU member state is required to designate a representative in the EU. This representative must be located in a member state where the organisation's processing activities are concentrated. The obligation is a compliance requirement, not merely a formality – the representative can be contacted directly by the Datatilsynet and by data subjects.

What are the realistic cost implications of a data protection compliance programme in Denmark?

Costs vary considerably depending on the size of the organisation, the volume and sensitivity of data processed, and the existing state of documentation. A law firm in Denmark advising on an initial compliance review and documentation package for a mid-sized international business typically charges in the range of several thousand to tens of thousands of euros. The cost of a reactive compliance exercise following a supervisory investigation – including legal representation, remediation, and potential fines – is routinely a multiple of preventive costs. GDPR compliance investment is most cost-effective when undertaken before the Datatilsynet becomes involved.

Data Protection in Denmark

A technology company expanding into Denmark discovers that its standard data processing agreements, drafted under another EU regime, fail to meet the specific requirements imposed by Danish data protection rules. The company receives a formal inquiry from the supervisory authority within weeks of launching. Without immediate expert intervention, the matter escalates toward enforcement proceedings – and potential fines measured in millions of euros.

Data Protection in Denmark is governed by EU-wide privacy legislation as directly applied and supplemented by national Danish data protection law, administered by the Datatilsynet (Danish Data Protection Authority). International businesses operating in Denmark must comply with obligations applicable to both data controllers and data processors, including lawful basis requirements, data transfer restrictions, and mandatory breach notification within 72 hours of discovery. Non-compliance triggers supervisory investigations, corrective orders, and administrative sanctions under the Danish enforcement regime.

This page covers the regulatory setting in Denmark, key legal instruments and procedures, common pitfalls for international businesses. Cross-border strategy involving Portugal and the EU. Additionally, a self-assessment checklist to help you evaluate your current compliance position.

The Danish data protection regulatory setting

Denmark operates within the EU's unified privacy regime but applies it through a national legislative layer that adds sector-specific rules and enforcement nuances. The Datatilsynet is the competent supervisory authority. It handles complaints, conducts audits, issues guidance, and imposes corrective measures and administrative fines.

Danish data protection legislation supplements the EU privacy rules in several important areas. These include specific provisions on processing employee personal data, rules on sensitive categories of information, and obligations applicable to public authorities. International businesses – particularly those accustomed to common law privacy regimes in the UK or the United States – should note that Denmark's civil law tradition shapes how obligations are interpreted and enforced in practice.

The Datatilsynet has demonstrated a willingness to pursue enforcement actions against both Danish companies and foreign businesses with operations or targeting activities directed at Danish residents. Supervisory priorities in recent years have focused on consent mechanisms, data transfers to third countries, and processor accountability. A business that assumes EU-level GDPR compliance automatically satisfies Danish requirements may find that gap costly to close under time pressure.

The regulatory conditions for data processing in Denmark require every organisation to identify its legal basis for each processing activity. Legitimate interest assessments, consent mechanism design, and data retention policies must all be documented and defensible. The Datatilsynet does not accept informal assurances. Written records, including records of processing activities, are a mandatory baseline.

Key legal instruments and compliance procedures

Compliance in Denmark requires a structured set of legal instruments. Each instrument has specific conditions, timelines, and risk exposure if absent or deficient.

Records of processing activities. Every data controller and data processor above the relevant employee threshold is required to maintain a written record of all processing operations. In practice, even smaller organisations are advised to maintain these records, as the Datatilsynet may request them during an audit or investigation. The record must cover purpose, category of data, retention period, and security measures. A missing or incomplete record is frequently among the first findings in an enforcement action.

Data processing agreements. Where a data controller engages a third-party data processor, a written data processing agreement is mandatory under Danish data protection rules. The agreement must specify the subject matter, duration, nature, and purpose of the processing, along with the obligations of each party. Many international businesses import template agreements that do not satisfy Danish supervisory standards. The Datatilsynet has issued specific guidance on minimum content requirements. Practitioners note that poorly drafted processor agreements are among the most common enforcement triggers for international companies entering the Danish market.

Consent mechanisms. Where consent is relied upon as the legal basis for processing, the consent mechanism must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consents do not satisfy the standard under Danish data protection law. Withdrawal must be as easy as giving consent. For digital services directed at Danish users, consent architecture – including cookie banners and preference centres – is a recurring area of supervisory scrutiny. Businesses should audit their consent mechanisms before launching any product or service in Denmark.

Data breach notification. A personal data breach must be notified to the Datatilsynet within 72 hours of discovery, where the breach is likely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk, affected individuals must also be notified without undue delay. The 72-hour clock begins at the moment any part of the organisation becomes aware of the breach – not when it is escalated to management. Organisations without a tested incident response procedure routinely miss this deadline, converting an inadvertent breach into a compounding compliance failure.

Data protection impact assessments. Processing activities that are likely to result in a high risk to individuals require a konsekvensanalyse (data protection impact assessment, or DPIA) before processing commences. The Datatilsynet publishes a list of processing types for which a DPIA is mandatory. Systematic monitoring of publicly accessible areas, large-scale processing of sensitive data, and automated decision-making that produces legal effects are among the categories that trigger this requirement. A DPIA omitted at the outset is difficult to retrofit once operations are underway.

Data transfers outside the EU/EEA. Transferring personal data to countries outside the European Economic Area requires a valid transfer mechanism. Standard contractual clauses, binding corporate rules, and adequacy decisions are the primary instruments. Following the invalidation of earlier transfer frameworks by European courts, organisations relying on legacy transfer arrangements must verify that their current mechanisms remain valid. The Datatilsynet has actively investigated non-compliant international data transfers. Businesses that rely on cloud providers or group-level data processing platforms should map all data flows and confirm the applicable transfer basis before operations begin.

For businesses whose Danish operations also involve AI-driven data processing, our analysis of AI regulatory obligations in Denmark addresses how emerging technology rules intersect with data protection requirements.

To receive an expert assessment of your data protection compliance position in Denmark, contact us at info@ferrazwhitmore.com.

Pitfalls international businesses encounter in Denmark

Denmark presents a number of compliance challenges that are not immediately apparent from reading the EU-level rules. International clients regularly underestimate the gap between general GDPR compliance and specific Danish requirements.

Employee data processing. Danish data protection law applies specific conditions to the processing of employee personal data. Monitoring employee communications, using location data, and processing health information in the employment context are subject to rules that go beyond the general EU baseline. Many international businesses assume that their group-wide HR data practices are compliant without reviewing them against Danish employment-specific provisions. The consequences of non-compliance in this area can combine data protection liability with employment law exposure.

Reliance on legitimate interest without proper assessment. Legitimate interest is a widely relied-upon legal basis across Europe. In Denmark, the Datatilsynet expects a documented balancing test that demonstrates the interests of the organisation do not override the rights and freedoms of the data subject. A generic statement of legitimate interest without a jurisdiction-specific assessment is unlikely to withstand supervisory scrutiny. This is a common shortcut taken by international businesses operating across multiple EU markets simultaneously.

Processor oversight obligations. Being a data controller in Denmark does not end at signing a data processing agreement. Controllers must verify that processors provide sufficient guarantees of technical and organisational security measures. Sub-processor chains – where the primary processor engages further processors – require specific contractual safeguards and, in many cases, prior authorisation by the controller. Organisations that have not mapped their processor chains or reviewed sub-processor arrangements may be exposed without realising it.

Supervisory engagement timelines. When the Datatilsynet opens an inquiry, response deadlines are typically short – often two to four weeks for initial submissions. Organisations that do not have their compliance documentation in order find it extremely difficult to prepare a credible response within this window. Engaging specialist counsel only after receiving a formal inquiry, rather than maintaining an active compliance programme, substantially increases both cost and risk.

Fines and reputational exposure. The Danish enforcement regime allows administrative fines at the levels set by the EU privacy rules: up to 20 million euros or a percentage of global annual turnover for the most serious infringements. The Datatilsynet has recommended criminal prosecution in a number of cases, which is a distinctive feature of the Danish enforcement environment compared to many other EU member states. The reputational consequences of a public enforcement decision often exceed the direct financial penalty.

Cross-border strategy: Denmark, Portugal, and EU compliance

International businesses frequently operate data processing activities across multiple EU jurisdictions simultaneously. Where a business has establishments in both Denmark and Portugal, the question of which supervisory authority leads a cross-border investigation is determined by the location of the organisation's main establishment. Under the EU's one-stop-shop mechanism, the lead supervisory authority coordinates with concerned authorities – including the Datatilsynet – but does not displace local enforcement entirely. Danish residents may file complaints directly with the Datatilsynet regardless of where the company's lead authority is located.

For businesses structured through a Portuguese holding company or using Portugal as their EU hub. The interaction between the Portuguese data protection supervisor. the Comissão Nacional de Proteção de Dados (National Data Protection Commission). and the Datatilsynet is a practical compliance consideration. Both authorities apply the same EU-level rules but through national implementing legislation that differs in certain procedural respects. Our work on data protection compliance in Portugal addresses the specific obligations and supervisory practices applicable in that jurisdiction.

Binding corporate rules offer a pathway for multinational groups to manage intra-group data transfers under a single approved instrument. However. The approval process is lengthy. typically running to over a year. and requires coordination with the lead supervisory authority. Standard contractual clauses remain the most frequently used transfer mechanism for third-country data flows. Following the Schrems line of European Court of Justice rulings, the clauses alone may not be sufficient. A supplementary transfer impact assessment is now expected where the destination country's laws may undermine the protections the clauses provide.

The EU-US Data Privacy Framework provides an adequacy mechanism for transfers to certified US organisations. However, its long-term stability remains a live legal question. Organisations that have relied solely on this framework should maintain contingency documentation in the form of standard contractual clauses as an alternative basis.

Businesses considering the Danish market as a gateway to the Nordic region should also factor in the data protection rules applicable in Norway and Sweden. While these jurisdictions apply the same EU-level regime through EEA incorporation, their supervisory authorities have distinct enforcement priorities and interpretation practices. A compliance strategy designed for Denmark will require adaptation rather than simple replication.

For businesses that use data-intensive processes or automated systems, our guidance on establishing a company in Denmark covers the structural considerations that affect how compliance obligations are allocated within a Danish entity.

For a tailored strategy on data protection compliance and cross-border data transfer management in Denmark, reach out to info@ferrazwhitmore.com.

Self-assessment checklist before operating in Denmark

This checklist is designed to help international businesses evaluate their readiness before or immediately after commencing data processing activities in Denmark. Each item represents a practical compliance threshold assessed by the Datatilsynet during audits and investigations.

This compliance baseline is applicable if your organisation:

collects, processes, stores, or transfers personal data of individuals located in Denmark
operates a website, app, or digital service accessible to Danish users
employs individuals in Denmark, regardless of where the employing entity is registered
engages Danish-based processors or acts as a processor for a Danish controller
transfers personal data from Denmark to countries outside the EU or EEA

Before commencing or continuing operations, verify:

Records of processing activities are maintained, current, and accessible to the Datatilsynet upon request
Every processing activity has an identified legal basis, documented in writing
All data processing agreements with processors and sub-processors are in place and meet Danish supervisory standards
Consent mechanisms – including cookie banners – meet the freely given, specific, and unambiguous standard
A data breach response procedure is tested and assigns clear responsibility for the 72-hour notification obligation
DPIAs have been completed for all high-risk processing activities, prior to commencement
All data transfers to third countries have a valid and current legal basis, with supplementary transfer impact assessments where required
Employee data processing practices comply with Danish employment-specific data protection rules
A data protection officer has been appointed where required, or a documented assessment confirms the obligation does not apply

Decision indicators – when to seek specialist counsel:

If your organisation has received an inquiry from the Datatilsynet, a response strategy should be developed immediately. The typical response window does not allow for a compliance programme to be built from scratch. If your organisation is planning a new processing activity involving large-scale or sensitive data, a DPIA and legal basis assessment should precede launch. If your transfer mechanisms have not been reviewed following recent European court rulings, a transfer mapping exercise is overdue.

Frequently asked questions

How long does it take the Datatilsynet to resolve a complaint or investigation?: The duration depends on the complexity of the matter and whether enforcement proceedings are initiated. Straightforward complaint cases may conclude within several months. Investigations involving potential fines or criminal referrals can extend over one to two years. Organisations that cooperate promptly and provide complete documentation typically experience shorter resolution timelines. Engaging a lawyer in Denmark with supervisory authority experience at the outset materially affects how the process unfolds.
Does a company based outside Denmark need to appoint a local representative?: A common misconception is that the obligation to appoint an EU representative only applies to businesses with no establishment anywhere in the EU. In fact, any organisation that processes personal data of individuals in Denmark without an establishment in any EU member state is required to designate a representative in the EU. This representative must be located in a member state where the organisation's processing activities are concentrated. The obligation is a compliance requirement, not merely a formality – the representative can be contacted directly by the Datatilsynet and by data subjects.
What are the realistic cost implications of a data protection compliance programme in Denmark?: Costs vary considerably depending on the size of the organisation, the volume and sensitivity of data processed, and the existing state of documentation. A law firm in Denmark advising on an initial compliance review and documentation package for a mid-sized international business typically charges in the range of several thousand to tens of thousands of euros. The cost of a reactive compliance exercise following a supervisory investigation – including legal representation, remediation, and potential fines – is routinely a multiple of preventive costs. GDPR compliance investment is most cost-effective when undertaken before the Datatilsynet becomes involved.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international companies in meeting their compliance obligations in Denmark and across EU and non-EU markets. We combine Portuguese civil law expertise with English common law tradition to deliver practical, cross-border data protection solutions. covering data controller and data processor obligations. Consent mechanism design, data transfer compliance, DPIA procedures, and supervisory authority engagement. As an international law firm advising attorney Denmark mandates, we work alongside local counsel and in-house teams to build defensible compliance programmes tailored to each client's operational profile. The firm's data protection team has advised on cross-border compliance matters spanning EU and common law systems, and works regularly with clients navigating the intersection of GDPR compliance requirements and national implementing legislation. Ferraz & Whitmore is a member of leading international legal associations and participates in cross-border practice groups focused on technology and privacy law. To discuss your data protection position in Denmark, contact us at info@ferrazwhitmore.com.

Sophie Laurent Legal Analyst, Tax & Data Protection

Sophie Laurent leads our French and Scandinavian desks. She advises Swiss banks, French private clients and Scandinavian fintech founders on cross-border tax planning, GDPR compliance and banking regulation. Sophie qualified in both France and Switzerland and worked for six years in a tier-one Geneva tax boutique before joining Ferraz & Whitmore. She is fluent in three languages and writes our French-, Swiss- and Scandinavian-jurisdiction guides on tax and data protection.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.