Denmark

Law: Act No. 289 of March 8, 2024, on Promulgation of the Act on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information (the Act) (only available in Danish here) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Danish data protection authority (Datatilsynet)

Summary: Denmark implemented the GDPR through Act No. 502 of May 23, 2018, on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Changes have since been introduced, and as of January 1, 2024, Act No. 289 of March 8, 2024, on Promulgation of the Act on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information came into effect, and was published on March 8, 2024. The Act is closely aligned with the GDPR and does not derogate at all in areas such as the appointment of a data protection officer, data retention, or data transfers. However, the Act exempts personal data processing covered by the Act governing information databases operated by mass media (only available in Danish here) from the GDPR and the Act. The Danish data protection authority (Datatilsynet) is an active regulator and regularly publishes guidelines on various issues including data breach notification, data subject rights, and security of processing. Notably, Denmark was the first EU country to publish Standard Contractual Clauses for contracts between controllers and processors in line with Article 28 of the GDPR in the EDPB register.