WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Kingdom of Denmark

Kingdom of Denmark

Constitutional Privacy Framework

The Danish Constitution of 1953 contains two provisions relating to privacy and data protection. Section 71 provides for the inviolability of personal liberty. Section 72 states, "The dwelling shall be inviolable. House searching, seizure, and examination of letters and other papers as well as any breach of the secrecy to be observed in postal, telegraph, and telephone matters shall take place only under a judicial order unless particular exception is warranted by Statute."[2019] Section 72 also applies to all kinds of telecommunication and electronic data. The European Convention on Human Rights[2020] (ECHR) was ratified in 1953 and was formally incorporated into Danish law in 1992.[2021]

Data Protection Framework

The Act on Processing of Personal Data (the Act) entered into force on July 1, 2000.[2022] The Act implements the European Union (EU) Data Protection Directive (1995/46/EC) into Danish law. It replaces the Private Registers Act of 1978, which governed the private sector,[2023] and the Public Authorities' Registers Act of 1978, which governed the public sector.[2024] The law divides personal information into three categories: ordinary, sensitive and semi-sensitive and provides different conditions for the processing of each.[2025] According to Section 2 (2), the Act should not be applied if this is contradictory to the freedom of expression and information as stipulated in Article 10 of the European Convention on Human Rights. An exemption from the Act is provided for the Danish Security Intelligence Service (PET) and the Danish Defence Intelligence Service (FE).

Data Protection Authority

The Danish Data Protection Agency (Datatilsynet or DPA) enforces the Act. The DPA is a public body consisting of a council and a secretariat. The Minister of Justice appoints the members of the council. Neither the Ministry of Justice nor any other public body has instructive authority over the agency, but the agency is attached to the Ministry of Justice regarding recruitment of staff and budgetary issues.[2026] The DPA supervises registries established by public authorities and private enterprises in Denmark. It ensures that the conditions for registration, disclosure and storage of data on individuals are complied with. It mainly deals with specific cases based on inquiries from public authorities or private individuals, or cases taken up by the agency on its own initiative. Staff of the DPA is allowed to enter any premise where a file is operated without a court order. Decisions made by the DPA are final and may not be appealed to any other administrative body. They may, however, be brought before the courts. According to the Act, the DPA is required to give an opinion before any new laws or regulations that have an impact on privacy are issued.[2027] The DPA has recently examined the Act on Prohibition of Video Surveillance and assessed whether this type of surveillance complies with the Act.[2028]

In 2005, the DPA received 1,100 inquiries and complaints and 61 inspections. Of these, 692 concerned private entities, 408 concerned public bodies and 112 were initiated by the DPA. Private entities filed 1,583 notifications for registrations of personal information; public bodies filed 1,157. Of the 4,585 cases in total, other topics of interest are: issues of security (27), legislative preparation (195) and international cases (154).[2029] The issues of digital surveillance as a crime preventive measure and security in relation to the transfer of personal information on the Internet have been central in many of the inquiries and statements.

In 2006, the DPA issued two opinions on the balance between the Act and the right of freedom of expression contained in the European Human Rights Convention. In the first case, the DPA found that while a private website contained information about the complainant’s name, position, education, and work place, the bulk of the information on the website expressed subjective views which outweighed the individual’s privacy concern. In the second case, the DPA responded to a request from the Minister of Justice for a statement to use in answering some questions raised by the Parliamentary Committee for Legal Affairs, concerning “hate pages” on the Internet and the passing of personally sensitive data on web sites without the consent of the individuals concerned. The DPA again stressed that the Act does not apply if it would be in violation of the right to freedom of information or the right to freedom of expression found at Article 10 of the European Human Rights Convention.[2030]

During hostilities in July 2006, Danish citizens were evacuated from Lebanon. The Ministry of Foreign Affairs and the Ministry of Employment inquired with the DPA about the possibilities of releasing data on Danes evacuated from Lebanon to other authorities in order to check certain issues. Concerning cash social benefits, the DPA found that only municipal authorities can collate data from registers in order to check personal financial information. There is no statutory authority for a general, cross-referential collation in order to check information concerning other issues, e.g. information about travels abroad. In relation to unemployment benefits, the DPA found that the relevant provision in the Act on Unemployment Insurance allows cross-referential collation of information from another public authority, e.g. concerning individual travel in order to perform a general investigation as to whether the benefits have been rightly disbursed. The DPA had no objections to the Ministry of Foreign Affairs inquiring to other public authorities whether a certain individual had been evacuated, as long as the public agency can legally perform such checks on individuals.[2031]

Wiretapping and Surveillance Rules

The Criminal Code regulates wiretapping.[2032] In 2001, the Danish parliament adopted an amendment to the Act on Administration of Justice increasing the police surveillance mandate by allowing access to a list of all active mobile phones near the scene of a crime at the time the crime was committed. This law was approved by the Parliament in June 2001. Statistical data on the interference of communications by the police in 2006 show that the courts approved 3,477 of 3,572 requests prior to the interference. The majority of requests were related to drug-related crimes (2,369 request and 2,290 were approved); 52 related to computer crimes; 2,054 requests involved telephone tapping; and 1,806 dealt with the "requiring of information from telecommunication providers (Teleoplysning)."[2033]

Also in 2001, Denmark amended its laws on search and seizure in accordance with its obligations under the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPs) and under pressure from the US software industry. The Administration of Justice Act now authorizes physical searches for copyright infringements without "prior notification of the defendant if it is assumed that the notification would cause a risk of removal, destruction or modification of objects, documents, information in computer systems or anything else that are comprised by the petition for investigation."[2034]

According to the Aliens Act,[2035] immigration authorities may require DNA samples from applicants for residency or persons with whom the applicant claims family ties for the purposes of residency. In its October 2001 report, the United Nations Human Rights Committee expressed concern about the privacy implications of this practice and called on Denmark to ensure that such testing is used only when "necessary and appropriate to the determination of the family tie on which a residence permit is based."[2036]

An act on the activities of the police was adopted in 2004,[2037] establishing a common foundation for the work of the police. The act regulates the procedures for the use of force, and for police interference and investigations, which are not regulated by other legislation. One issue, which has been criticized in relation to this recently adopted act, is the lack of regulation regarding the use of electronic tracking devices on vehicles as a means of police surveillance.[2038]

Anti-terrorism Measures

In October 2001, the Minister of Justice and the Ministry of the Interior issued a package of "anti-terrorism" proposals in order to implement the United Nations (UN) Security Council's Resolution 1373 (2001) on Combating Terrorism and to prepare for the UN's International Convention for the Suppression of the Financing of Terrorism.[2039] In May 2002, the Parliament approved the anti-terrorism bill despite vocal opposition from non-governmental organizations and industry groups. The bill became law in June 2002.[2040] Among other things, the legislation establishes mandatory retention of traffic data for one year by telecommunications and Internet providers. It also gives law enforcement the power to secretly install snooping software on the computers of criminal suspects. The software will record keystroke data and transmit it electronically to the law enforcement agency. This power may only be used for serious crimes and will require an interception warrant. Serious crimes are defined as those punishable by jail for six years or more, including narcotics offenses, homicide, assault and battery, causing danger to other people's lives and health, theft, computer crimes, trafficking of refugees, child pornography, and crimes against national security and the public order. During the adoption of the act, there was considerable debate about what kind of traffic data would have to be retained by service providers and, also, what constitutes a service provider for the purposes of the retention requirement.

An administrative order from the Ministry of Justice was underway from 2002 to 2006 as a follow-up to the "anti-terrorism package," extending the scope of Section 786 of the Administration of Justice Act.The order was approved in September 2006, with an implementation deadline set to September 2007. The administrative order regulates in more detail the obligations of the Danish telecommunications providers (small private Internet Service Providers (ISPs) excluded), specify how they must assist the Danish police interfering with the secrecy of communication, what data should be retained, and how it should be done. During the drafting period the proposal was heavily criticized by ISPs, cooperative housing associations and non-governmental organizations for being disproportionate and inconsistent, e.g., letting private entities store huge amounts of personal information, while at the same time being easy to evade, because of the many exemptions, such as libraries and universities not being included. The administrative order further implements the recently (February 2006) adopted EU directive on data retention.

On June 4, 2003, the Parliament enacted a bill to combat organized crime. The act amends the Administration of Justice Act and Criminal Code and expands crimes for which the police can secretly install snooping software on criminal suspects' computers.[2041] This is an extension of the anti terrorism package, and expands the area in which the police can use snooping software to also cover all crimes carrying a maximum penalty of six years or more, grave theft, serious tax fraud and smuggling.

Unsolicited Commercial E-mails ("Spam")

Spamming has, since June 2000, been forbidden under the Marketing Practices Act (Markedsfoeringsloven).[2042] Article 13 of the EU Privacy and Electronic Communications Directive[2043] was transposed into Danish law on June 10, 2003.[2044] It changed Denmark's legal data protection framework on spam. According to the directive, people who have already given their address to companies can now be spammed with advertisements for "similar services" ("soft opt-in"), which the Marketing Practices Act had not previously allowed.[2045]

Major Privacy Case Law

In March 2005, the Danish Maritime and Commercial court convicted the mobile phone company Debitel Denmark for spamming.[2046] The company paid a fine of DKK 2,000,000 (269,000 EUR) for sending out unsolicited advertising material. In Denmark, this is the largest fine ordered for spamming. Debitel Denmark had sent 12,000 text messages and 36,000 e-mails advertising for products. The size of the fine was also based on other violations of the Marketing Practices Act.[2047]

The Danish Consumer Ombudsman has published guidelines for industry regarding spamming and Section 6a of the Marketing Practices Act. Also, the Danish Consumer Ombudsman has established e-mail addresses where consumers can file complaints regarding spam.[2048]

In November 2004, a Danish district court found a person guilty of violating the Act on Prohibition of TV Surveillance and imposed a fine of DKK 3,000 (400 EUR). The individual had set up webcams to record movements in a public place and published the recordings on a website. The webcams provided an overview of a public area, and individuals could not be identified in the recordings.[2049] The Act on Prohibition of TV Surveillance[2050] generally prohibits private entities from placing video cameras in public places. However, the Act allows video surveillance of shopping centers, stores and ATM machines, but requires notices to be posted informing the public of the ongoing surveillance.

In May 2006, the Danish Supreme Court issued a decision on the privacy rights of the deceased and his or her estate. In a dispute over inheritance, the complainant claimed that it would be a violation of the Privacy Act to exhume his father in order to administer a DNA test. The Court stated that although the concept “the right to privacy” is not narrowly defined in the Act, it would be too sweeping of an interpretation to assume that DNA testing from a deceased person violated the right to privacy of the estate or the deceased.[2051]

Recent Developments

The Danish trade association for Information Technology, Telecommunications, Electronics and Communication Enterprises (ITEK/DI) initiated a task force on privacy in 2006. The aim of the task force is to promote the effective protection of privacy in the daily practices of public and private institutions. The Privacy Task Force, which has broad representation from industry, civil society, and academia, has published a number of reports, guidelines and recommendations.[2052]

In June 2006, Parliament introduced amendments to the Administration of Justice Act, the Act Prohibiting Video Surveillance, and the Act on Air Traffic (strengthening of the efforts to fight terrorism, etc.).[2053] The bill contains a number of initiatives to improve the police’s ability to prevent, investigate, and combat acts of terror. The proposed amendment to the Administration of Justice Act intends to include statutory authority for the Police Intelligence Service to pass on information to the Defence Intelligence Service and collect information from other authorities to the extent that the information “could be of importance” to carrying out the tasks of the service. Furthermore, phonetapping in connection with criminal investigations will be targeted at an individual rather than at the means of communication. An amendment concerning subsequent notification of the phonetap was also put forward in the proposal. Such notification can be omitted or postponed for a fixed period of time if notification is considered to be detrimental to the investigation. The suggested amendment of the Air Traffic Act will oblige airline companies to register and keep data on passengers and crew for one year and release these when necessary in order to prevent or investigate crimes against “security of the State.”

Parliament seeks to implement another anti-terror initiative in its proposed amendment to a telecommunications act.[2054] The amendment concerns police access to subscriber information from suppliers of electronic communication networks or services through the logging of personal IP addresses. At the same time, sanctions in the form of fines are introduced for suppliers violating the provision. The proposed new Art. 15c means that at any time and without any specific suspicion about terror, the police may order suppliers of electronic communication networks and services to release information detailing an end user’s access to communication networks and services to the Minister of Science.

Open Government

Other laws regulating the processing of personal information by the public sector include the Public Administration Act of 1985,[2055] the Publicity and Freedom of Information Act of 1985,[2056] and the Act on Public Records of 2002.[2057] These laws set out basic data protection principles and determine which data and governmental records are accessible to the public and which should be kept confidential.[2058] Sectoral laws also provide special protections for medical information[2059] and credit card details[2060] and lay down restrictions on direct marketing (including spam).[2061] If they are in accordance with Denmark's international obligations, these sectoral laws take priority over the general Data Protection Act.[2062]

Danish citizens do not have an identification card but all citizens are provided with a Central Personal Registration (CPR)[2063] number, which is used to identify them in public registers. The information in the CPR register includes: name, address, municipality, prior addresses, place and date of birth, gender, nationality, membership information regarding the Danish National Church, information on family ties, guardians, information on marriage and information on job positions. The Ministry of Interior can hand over information for purposes of statistics or research. According to Section 38 of the Act, private entities can gain access to information[2064] on a larger group of persons identified individually.[2065] A condition for the access is that the private entity has a legitimate purpose. According to the Act an individual can upon request be granted a name and address protection lasting one year in relation to private entities.[2066]

International Obligations

On January 6, 1972, Denmark ratified the UN International Covenant on Civil and Political Rights and the Optional Protocol allowing the UN Human Rights Committee to receive and consider communications from individuals. Denmark is a member of the Council of Europe and has ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.[2067] Denmark signed the Convention on Cybercrime on April 22, 2003, and ratified it on June 21, 2005. The Additional Protocol to the Convention on Cybercrime, concerning the criminalization of acts of a racist and xenophobic nature committed through computer systems was signed in February 2004, and ratified in June 2005. Denmark is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.


The original (un-amended) Danish Public and Private Registers Acts of 1978 and Guidelines regarding Notification of Data Processing Bureaus of 1979 continue to apply within Greenland, a self-governing territory. The Danish Data Protection Agency oversees compliance with the law. The 1988 amendments that brought Denmark into compliance with the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data do not apply to Greenland. Furthermore, Greenland is not part of the European Union and therefore has not adopted the EU Data Protection Directive. Greenland's data protection requirements are much less stringent than those of Denmark and the other member states of the European Union.

[2019] Constitution of Denmark 1953, available at <>.
[2020] Convention for the Protection of Human Rights and Fundamental Freedoms CETS No.: 005.
[2021] Act No. 285 of April 29 1992.

[2022] Act on Processing of Personal Data, Act No. 429 of May 31, 2000 (Lov om behandling af personoplysninger), available at <>.
[2023] Private Registers Act of 1978 (Lov nr 293 af 8 juni 1978 om private registre mv), in force January 1,1979.
[2024] Public Authorities' Registers Act of 1978 (Lov nr 294 af 8 juni 1978 om offentlige myndigheders registre), in force January 1, 1979.
[2025] Peter Blume et al., Nordic Data Protection 19-20 (DJOEF Publishing Copenhagen 2001).

[2026] The DPA consists of a Counsel and an independent Secretariat who is only answerable to the Counsel. The Counsel, which is set up by the Minister of Justice, is composed of a chairman, who is a legally qualified judge, and of six other members. The Council decides in leading cases. The day-to-day business is attended by the Secretariat, which currently counts 30 employees distributed as: one director, one head of department, one head of the technical department, three consultants, 13 legal advisors, one technician/engineer, six clerical workers and four students (part-time employees). E-mail from Tina Fugl, Head of Section of the Danish Data Protection Agency, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center, May 1, 2005 (on file with EPIC).
[2027] Datatilsynet <>; English version available at <>.
[2028] Memorandum on Prohibition of Video Surveillance, September 13, 2004, available at <> (in Danish only).

[2029] The Danish Data Protection Agency, Annual Report 2005 <> (in Danish only).

[2030] Danish Data Protection Agency File no.2006-792-0237, May 2, 2006; Danish Data Protection Agency File no.1006-792-0237, May 31, 2006.

[2031] Email from Rikke Frank Joergensen and Christoffer Badse, Danish Institute of Human Rights, Denmark, to Allison Knight, Research Director, Electronic Privacy Information Center, June 26, 2007 (on file with EPIC).

[2032] Criminal Code at Section 263.
[2033]Annual Statistical Report 2006; The Danish Police <> (in Danish).

[2034] "Denmark Enacts Anti-Piracy Search and Seizure Law," Cluebot, July 20, 2001.

[2035] Consolidated Aliens Act No. 808 of 14 July 2004 (Lovbekendtgørelse 2004-07-14 nr. 808
[2036] Report of the Human Rights Committee, A/56/40,Volume 1, October 26, 2001.

[2037] Act on Police Activities No. 444 of June 9, 2004 (Lov 2004-06-09 nr. 444 om politiets virksomhed ).
[2038] Christoffer Badse, The Use of Electronic Tracking Devices Should Be Regulated, (Pejling bør reguleres) Lov og Ret No. 8, December 2004, (27-32).

[2039] "The Danish 'Anti-Terror' Package," Danish Center for Human Rights, available at <>.
[2040]Act No. 378, June 6, 2002, Concerning the Change of Criminal Code, Administration of
Justice Act, Act on Competition and Consumer Regulation of the Telecommunications Market, Act on Small Arms, Act on Extradition and Act on Extradition of Criminals to Finland, Iceland, Norway and Sweden.

[2041] Section 791 b. Retsplejeloven (Administration of Justice Act), available at <>.

[2042] Section 6a(1).
[2043] Danish version of the directive available at: <>.
[2044] Act No. 450, June 10, 2003. Law concerning the change of Law of Competition and Consumer Regulation of the Telecommunication Market etc.
[2045] According to an amendment to Section 6a of the Marketing Practices Act, there will be an exception to the prohibition of advertising via e-mails to consumers without prior consent. If the consumer has, in connection with a purchase on the Internet, forwarded his or her e-mail address to a company, the company is allowed to mail or spam the consumer's e-mail address. According to Section 6a § 2, it is a precondition for the spamming that the consumer be informed of the possibility to say "no" to any form of electronic advertising material. This means that the consumer must express dissent to avoid getting spammed, which is a change compared to the former regulation where the consumer had to positively express his or her wish to receive advertising material. The amendment entered into force on July 25, 2003.

[2046] Judgment No.: M-0001-04 available at (in Danish) <>.
[2047] Consolidated Act on Marketing Practices (No. 699 of 17 July 2000 (Lovbekendtgørelse 2000-07-17 nr. 699
om markedsføring).

[2048] The Guidelines can be downloaded (in Danish) from <> and complaints can be filed at and

[2049] The judgment is available at <> (in Danish).
[2050] Consolidated Act on Prohibition of TV Surveillance No. 76 of February 1, 2000 (Lovbekendtgørelse 2000-02-01 nr. 76
om forbud mod tv-overvågning mv.)

[2051] Filtenborg Mortensen estate vs. Denmark no. 1338/03.

[2052] ITEK, <>.

[2053]Act no. 542 of June 8, 2006.

[2054]Act on Competition and Consumer Issues on the Telecommunication Market ,Act no. 545 of June 8, 2006.

[2055] Lov 1985-12-19 nr. 571 Forvaltningslov.
[2056] Lov 1985-12-19 nr. 572 om offentlighed i forvaltningen.
[2057] Lov 2002-12-17 nr. 1050 Arkivlov.
[2058] Peter Blume et al., supra at 13.
[2059] Patients' Rights Act of 1998.
[2060] Credit Cards Act of 2000.
[2061] Consolidated Act on Marketing Practices No. 699, 17 July 2000, Lovbekendtgørelse 2000-07-17 nr. 699
om markedsføring.
[2062] Peter Blume et al., supra at 14.

[2063] As regulated in Consolidated Act on Central Personal Registration, No. 140, March 3, 2004. Lovbekendtgørelse 2004-03-03 nr. 140 om Det Centrale Personregister.
[2064] The information accessible include primarily: name, address, job position, death and disappearance.
[2065] Identified by either CPR number, date of birth and name or address and name.
[2066] The Consolidated Act on Central Personal Registration, Section 28.

[2067] Signed January 28, 1981; ratified October 23, 1989; entered into force February 1, 1990.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback