Category Archives: Denmark


Data protection agency publishes new IT security text

The Danish DPA has published guidance on IT security around shared log-ins.

This is part of a series of IT security guidance, started in 2014, and comprising 11 different publications. The purpose of IT security texts is to focus on selected IT security issues, as data controllers, data processors, project leaders and others in practice to deal with in regard to the processing of personal data. Each IT security text unfolds a selected IT security problem. The deployed problem can benefit from further consideration before making decisions on how the problem is solved in practice in their own organization.

Not all EU data protection authorities produce information security guidance – it is a relatively minority activity, although many DPAs do produce guidance documents (several of which are hosted in this repository).


<<Annual Report 2015>> Datatilsynets årsberetning 2015

The annual report for the Danish data protection authority for 2015, published in 2016, includes a section on the international cooperation activities of the Danish DPA over the year, including activities related to the joint supervisory boards of Europol, Schengen visa system, EURODAC.


Personal information in search engines

The Danish DPA issued a guide on the procedure for exercise of the “right to be forgotten” – or more accurately, the procedure for having a person’s name removed from search engine results, as based upon the European Court of Justice’s judgement against Google Spain and Google Inc. This includes the criteria used by the DPA in assessing these cases.


Data Protection Package is now finally adopted

<<” In January 2012, the European Commission presented a proposal for data protection package. The package is formally adopted on 14 April 2016. The package will take effect two years after entry into force, which will be mid-May 2018.

The package consists of a general regulation on the protection of personal data, which will apply horizontally in both the private and public sector (Data Protection Regulation), and a directive on the protection of personal data, which will apply to law enforcement (Data Protection Directive). The regulation will replace the Data Protection Directive of 1995, while the Directive will replace a framework decision from 2008.” >>



New Supervisory unit of the Data Protection Agency

<<Data Protection Agency has created a new oversight unit>>

The new regulator will be responsible for all Data Protection Agency scheduled inspections and DPA ad hoc inspections for violations of the statutory safety requirements.

The device is horizontal. It includes employees from all parts of the Data Protection Agency. Head Lena Andersen heads the unit.

Planned supervision

In selecting topics for scheduled inspections should be according to the Data Protection Agency’s regulatory strategy for 2016-2018 particular attention to the processing of personal data, which because of their size or purpose may pose a particular risk to violate the data subject’s right to data protection and privacy, as well as on treatments which involves the use of new technology.

In selecting topics as well as the data controller, to be included in the planned visit, take Datatilsynet include considering whether an area is obtained information – including letters from individuals or via media coverage – that would suggest a special need for supervision.


The subjects of planned inspections in 2016

Data Authority inspection unit focuses in 2016 on selected topics from a variety of controllers.

Checking the following items will go again on 30 supervision facing public authorities:

• Comprehensive safety rules
• authority’s own supervision,
• processor agreements and
• authority’s own control processors.

At 20 private controllers the following topics go again:

• Compliance with the Data Protection conditions
• processor agreements and
• the company’s own control processors.

In all monitoring will be used information gathering by questionnaire.

Opposite least 5 controller Data Protection Agency will also follow up with the actual inspections. >>


Detailed information from the Data Protection Agency about the “Safe Harbor” case

This news release and guidance document from the Danish DPA provides contextual background information on the declaration by the EU court of the invalidity of the Safe Habor agreement between the US and the EU on the transfer of personal data. The European Court of Justice (ECJ) had, on 6 October 2015, issued a judgement on a preliminary ruling by the Irish High Court, in a case between the Austrian citizen Maximillian Schrems and the Irish Data Protection Commissioner.

It further provides guidance on other legal arrangements for the transfer of personal data to the US (appropriate contractual provisions, the Commission’s model contracts, and binding corporate rules), and action being taken by both the Danish DPA and in concert with other EU DPAs.