Print   

Act No. 429 of 31 May 2000

This version is translated for the Danish Data Protection Agency. The official version is published in "Lovtidende" (Official Journal) on 2 June 2000. Only the Danish version of the text has legal validity.

Act on Processing of Personal Data [1]

WE MARGRETHE THE SECOND, by the Grace of God, Queen of Denmark

make known that: Folketinget (the Danish Parliament) has passed and We have

granted Our Royal Assent to the following Act:

Title I

General provisions

Part 1

Scope of the Act

1. - (1) This Act shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

(2) This Act shall further apply to other non-automatic systematic processing of data which is performed for private persons or bodies and which includes data on individual persons' private or financial conditions or other personal circumstances which can reasonably be claimed not to be made open to the public. However, this shall not apply to Part 8 and Part 9 of this Act.

(3) This Act shall further apply to the processing of data concerning enterprises, etc., cf. subsections (1) and (2), if the processing is carried out for credit information agencies. The same shall apply in the case of processing of data covered by section 50 (1) 2.

(4) Part 5 of the Act shall also apply to the processing of data concerning companies, etc., cf. subsection (1).

(5) In other cases than those mentioned in subsection (3), the Minister of Justice may decide that the provisions of this Act shall apply, in full or in part, to the processing of data concerning companies, etc. which is performed for private persons or bodies.

(6) In other cases than those mentioned in subsection (4), the competent Minister may decide that the provisions of this Act shall apply, in full or in part, to the processing of data concerning enterprises, etc. performed on behalf of public administrations.

2. - (1) Any rules on the processing of personal data in other legislation which give the data subject a better legal protection shall take precedence over the rules laid down in this Act.

(2) This Act shall not apply where this will be in violation of the freedom of information and expression, cf. Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

(3) This Act shall not apply to the processing of data undertaken by a natural person with a view to the exercise of activities of a purely private nature.

(4) The provisions laid down in Parts 8 and 9 and sections 35 to 37 and section 39 shall not apply to processing of data which is performed on behalf of the courts-of-law in the area of criminal law. Nor shall the provisions laid down in Part 8 of the Act and sections 35 to 37 and section 39 apply to processing of data which is performed on behalf of the police and the prosecution in the area of criminal law.

(5) This Act shall not apply to the processing of data which is performed on behalf of the Folketing (the Danish Parliament) and its related institutions.

(6) This Act shall not apply to the processing of data covered by the Act on information data bases operated by the mass media.

(7) This Act shall not apply to information data bases which exclusively include already published periodicals or sound and vision programmes covered by paragraphs 1 or 2 of section 1 of the Act on the responsibility of the media, or part hereof, provided that the data are stored in the data base in the original version published. However, sections 41, 42 and 69 of the Act shall apply.

(8) Furthermore, this Act shall not apply to information data bases which exclusively include already published texts, images and sound programmes which are covered by paragraph 3 of section 1 of the Act on the responsibility of the media, or parts hereof, provided that the data are stored in the data base in the original version published. However, sections 41, 42 and 69 of the Act shall apply.

(9) This Act shall not apply to manual files of cuttings from published, printed articles which are exclusively processed for journalistic purposes. However, sections 41, 42 and 69 of the Act shall apply.

(10) Processing of data which otherwise takes place exclusively for journalistic purposes shall be governed exclusively by sections 41, 42 and 69 of this Act. The same shall apply to the pro-cessing of data for the sole purpose of artistic or literary expression.

(11) This Act shall not apply to the processing of data which is performed on behalf of the intelligence services of the police and the national defence.

Part 2

Definitions

3. – (1)  For the purposes of this Act:

Part 3

Geographical territory of the Act

4. – (1) This Act shall apply to processing of data carried out on behalf of a controller who is established in Denmark, if the activities are carried out within the territory of the European Community.

(2) This Act shall further apply to processing carried out on behalf of Danish diplomatic representations.

(3) This Act shall also apply to a controller who is established in a third country, if

(4) A controller who is governed by this Act in accordance with paragraph 1 of subsection (3) shall designate a representative established in the territory of Denmark. This shall be without prejudice to legal actions which could be initiated by the data subject against the controller concerned.

(5) The controller shall inform the Data Protection Agency in writing of the name of the designated representative, cf. subsection (4).

(6) This Act shall apply where data are processed in Denmark on behalf of a controller established in another Member State and the processing is not governed by Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of data and on the free movement of such data. This Act shall also apply if data are processed in Denmark on behalf of a controller established in a state which has entered into an agreement with the European Community which contains rules corresponding to those laid down in the above-mentioned Directive and the processing is not governed by these rules.

Title II

Rules on processing of data

Part 4

Processing of data

5. - (1) Data shall be processed in accordance with good practices for the processing of data.

(2) The collection of data shall take place for specified explicit and legitimate purposes and they shall not be further processed in a way incompatible with these purposes. Further processing of data which takes place exclusively for historical, statistical or scientific purposes shall not be considered incompatible with the purposes for which the data were collected.

(3) Data which are to be processed shall be adequate, relevant and not excessive in relation to the purposes for which the data are collected and the purposes for which they are subsequently processed.

(4) The processing of data shall be organised in a way which ensures the required up-dating of the data. Furthermore, necessary checks should be made to ensure that no inaccurate or misleading data are processed. Data which turn out to be inaccurate or misleading shall be erased or rectified without delay.

(5) The data collected may not be kept in a form which makes it possible to identify the data subject for a longer period than is necessary for the purposes for which the data are processed.

6. - (1) Personal data may be processed only if:

(2) A company may not disclose data concerning a consumer to a third company for the purpose of marketing or use such data on behalf of a third company for this purpose, unless the data subject has given his explicit consent. The consent shall be obtained in accordance with the rules laid down in section 6 (a) of the Danish Marketing Practices Act.

(3) However, the disclosure and use of data as mentioned in subsection (2) may take place without consent in the case of general data on customers which form the basis for classification into customer categories, and if the conditions laid down in subsection (1) 7 are satisfied.

(4) Data of the type mentioned in sections 7 and 8 may not be disclosed or used by virtue of subsection (3). The Minister of Justice may lay down further restrictions in the access to disclose or use special types of data by virtue of subsection (3).

7. - (1) No processing may take place of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or sex life.

(2) The provision laid down in subsection (1) shall not apply where:

(3) Processing of data concerning trade union affiliation may further take place where the pro-cessing is necessary for the controller's compliance with labour law obligations or specific rights.

(4) Processing may be carried out in the course of its legitimate activities by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or tradeunion aim of the data mentioned in subsection (1) relating to the members of the body or to persons who have regular contact with it in connection with its purposes. Disclosure of such data may only take place if the data subject has given his express consent or if the processing is covered by subsection (2) 2 to 4 or subsection (3).

(5) The provision laid down in subsection (1) shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health care services, and where those data are processed by a health professional subject to a statutory obligation of professional secrecy.

(6) Processing of the data mentioned in subsection (1) may take place where the processing is required for the performance by an official authority of its tasks in the area of criminal law.

(7) Exemptions may further be laid down from the provision in subsection (1) where the pro-cessing of data takes place for reasons of substantial public interests. The supervisory authority shall give its authorisation in such cases. The processing may be made subject to specific conditions. The supervisory authority shall notify the Commission of any derogation.

(8) No automatic filing systems may be kept on behalf of a public administration containing data on political affiliations which are not open to the public.

8. - (1) No data about criminal records, serious social problems and other purely private data than those mentioned in section 7 (1) may be processed on behalf of a public administration, unless such processing is necessary for the performance of the tasks of the administration.

(2) The data mentioned in subsection (1) may not be disclosed to any third party. Disclosure may, however, take place where:

(3) Administrative authorities performing tasks in the social field may only disclose the data mentioned in subsection (1) and the data mentioned in section 7 (1) if the conditions laid down in subsection (2) 1 or 2are satisfied, or if the disclosure is a necessary step in the procedure for dealing with the case or necessary for the performance by an authority of its supervision or control function.

(4) Private individuals and bodies may process data about criminal records, serious social problems and other purely private matters than those mentioned in section 7 (1) if the data subject has given his explicit consent. Processing may also take place where necessary for the purpose of pursuing a legitimate interest and this interest clearly overrides the interests of the data subject.

(5) The data mentioned in subsection (4) may not be disclosed without the explicit consent of the data subject. However, disclosure may take place without consent for the purpose of pursuing public or private interests, including the interests of the person concerned, which clearly override the interests of secrecy.

(6) Processing of data in the cases which are regulated by subsections (1), (2), (4) and (5) may otherwise be carried out if the conditions laid down in section 7 are satisfied.

(7) A complete register of criminal convictions may be kept only under the control of an official authority.

9. - (1) Data as mentioned in section 7 (1) or section 8 may be processed where the processing is carried out for the sole purpose of operating legal information systems of significant social importance and the processing is necessary for operating such systems.

(2) The data covered by subsection (1) may not subsequently be proposed for any other purpose. The same shall apply to the processing of other data which is carried out solely for the purpose of operating legal information systems, cf. section 6.

(3) The supervisory authority may lay down more detailed conditions concerning the processing operations mentioned in subsection (1). The same shall apply to the data mentioned in section 6 which are processed solely in connection with the operation of legal information systems.

10. - (1) Data as mentioned in section 7 (1) or section 8 may be processed where the processing is carried out for the sole purpose of carrying out statistical or scientific studies of significant social importance and where such processing is necessary in order to carry out these studies.

(2) The data covered by subsection (1) may not subsequently be processed for other than statistical or scientific purposes. The same shall apply to processing of other data carried out solely for statistical or scientific purposes, cf. section 6.

(3) The data covered by subsections (1) and (2) may only be disclosed to a third party with prior authorisation from the supervisory authority. The supervisory authority may lay down more detailed conditions concerning the disclosure.

11. - (1) Official authorities may process data concerning civil registration numbers with a view to unambiguous identification or as file numbers.

(2) Private individuals and bodies may process data concerning civil registration numbers where:

(3) Irrespective of the provision laid down in subsection (2) 3, no disclosure may take place of a civil registration number without explicit consent.

12. - (1) Controllers who sell lists of groups or persons for marketing purposes or who perform mailing or posting of messages to such groups on behalf of a third party may only process:

(2) Processing of data of the type mentioned in section 7 (1), or section 8, may, however, not take place. The Minister of Justice may lay down further restrictions in the access to process special types of data.

13. - (1) Official authorities and private companies, etc. may not carry out any automatic registration of the telephone numbers to which calls are made from their telephones. However, such registration may take place with the prior authorisation from the supervisory authority in cases where important private or public interests speak in favour hereof. The supervisory authority may lay down more detailed conditions for such registration.

(2) The provision laid down in subsection (1) shall not apply where otherwise provided by statute or as regards the registration by suppliers of telecommunications network and by teleservices of numbers called, either for own use or for use in connection with technical control.

14. Data covered by this Act may be transferred to storage in a filing system under the rules laid down in the legislation on files.

Part 5

Disclosure to credit information agencies of data on debts to public authorities

15. – (1) Data on debts to public authorities may be disclosed to credit information agencies in accordance with the provisions laid down in this Part of the Act.

(2) No disclosure may take place of data mentioned in section 7 (1) or section 8 (1) of this Act.

(3) Confidential data disclosed in accordance with the rules laid down in this Part shall not for this reason be deemed to be otherwise accessible to the general public.

16. – (1) Data on debts to public authorities may be disclosed to a credit information agency where

(2) It is a condition that the same collection authority administers the total amount of debts, cf. subsection (1) 2.

(3) It is further a condition for the disclosure of data under the provisions of subsection (1) 2, that:

17. – (1) The public authority concerned shall notify the debtor in writing prior to the disclosure of such data. Disclosure may at the earliest take place 4 weeks after such notification.

(2) The notification referred to in subsection (1) shall include information stating:

18.  The competent minister may lay down more detailed rules on the procedure in relation to disclosure to credit information agencies of data on debts to public authorities. In this connection it may be decided that data on certain types of debts to public authorities may not be disclosed, or may be disclosed only where further conditions than those referred to in section 16 have been complied with.

Part 6

Credit information agencies

19. Any person who wishes to carry on business involving processing of data for assessment of financial standing and creditworthiness for the purpose of disclosure of such data (credit information agency) shall obtain authorisation to do so from the Data Protection Agency prior to commencing such processing, cf. section 50 (1) 3.

20. – (1) Credit information agencies may only process data which by their nature are relevant for the assessment of financial standing and creditworthiness.

(2) Data as mentioned in section 7 (1) and section 8 (4) may not be processed.

(3) Data on facts speaking against creditworthiness and dating back more than 5 years may not be processed, except where it is obvious in any specific case that the facts in question are of decisive importance for the assessment of the financial standing and creditworthiness of the person concerned.

21.  According to the provisions of section 28 (1) or section 29 (1), credit information agencies shall notify the person to whom the data relate of the data mentioned in these provisions.

22. – (1) Credit information agencies shall, at any time, at the request of the data subject, notify him within 4 weeks, in an intelligible manner, of the contents of any data or assessments relating to him that the credit information agency has disclosed within the immediately preceding 6 months, and of any other data relating to the data subject that the agency records or stores at the time of the receipt of the request, whether in a processed form or by way of digital media, including any credit ratings.

(2) Where the agency is in possession of further material relating to the data subject, the existence and type of such further material shall at the same time be communicated to him, and he shall be informed of his right to inspect such material by personally contacting the agency.

(3) The agency shall further provide information on the categories of recipients of the data and any available information as to the source of the data referred to in subsections (1) and (2).

(4) The data subject may demand that the agency’s communication as referred to in subsections (1) to (3) shall be given in writing. The Minister of Justice shall lay down rules on the payment of a fee for communications given in writing.

23. – (1) Data on financial standing and creditworthiness may be given only in writing, cf., however, section 22 (1) to (3). The agency may, however either orally or in a similar manner, disclose summary data to subscribers, provided that the name and address of the inquirer are recorded and stored for at least 6 months.

(2) Publications from credit information agencies may contain data in a summary form only and may be distributed only to persons or enterprises subscribing to notices from the agency. The publications may not indicate the civil registration numbers of data subjects.

(3) Disclosure of summary data on indebtedness may only take place where the data originate from the Danish Official Gazette, have been notified by a public authority under the rules laid down in Part 5 of this Act, or if the data relate to indebtedness in excess of DKK 1,000 to a single creditor and the creditor has obtained the written acknowledgement by the data subject of the debt being due and payable, or where legal proceedings have been instituted against the debtor concerned. Data on approved debt re-scheduling schemes may, however, not be disclosed. The rules referred to in the first and second clauses of this subsection shall also apply to the disclosure of summary data on indebtedness in connection with the preparation of broader credit ratings.

(4) Summary data on the indebtedness of individuals may be disclosed only in such a manner that the data cannot form the basis for assessment of the financial standing and creditworthiness of other persons than the individuals concerned.

24. Any personal data or credit ratings which turn out to be inaccurate or misleading shall be rectified or erased without delay.

25.Where any data or credit ratings which turn out to be inaccurate or misleading have already been disclosed, the agency shall immediately give written notification of the rectification to the data subject and to any third party who has received the data or the credit rating during the six months immediately preceding the date when the agency became aware of the matter. The data subject shall also be notified of any third party that has been notified under clause 1 of this section, and of the source of the personal data or credit rating.

26. – (1)Where a data subject requests the erasure, rectification or blocking of data or credit assessments which are alleged to be inaccurate or misleading, or requests the erasure of personal data which may not be processed, cf. section 37 (1), the agency shall reply in writing without delay and within 4 weeks from receipt of such a request.

(2) Where the agency refuses to carry out the requested erasure, rectification or blocking, the data subject may within 4 weeks from receipt of the reply of the agency or from expiration of the time-limit for replying laid down in subsection (1) bring the matter before the Data Protection Agency, which shall decide whether erasure, rectification or blocking shall take place. The provisions laid down in section 25 shall be correspondingly applicable.

(3) The reply of the agency in the cases mentioned in subsection (2) shall contain information about the right to bring the matter before the Data Protection Agency and about the time-limit for such submission.

Part 7

Transfer of personal data to third countries

27. – (1) Transfer to a third country of data may take place only if the third country in question ensures an adequate level of protection, cf. however subsection (3).

(2) The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation, in particular the nature of the data, the purpose and duration of the processing operation, the country of origin and country of final destination, the rules of law in force in the third country in question and the professional rules and security measures which are complied with in that country;

(3) In addition to the cases mentioned in subsection (1), transfer of data to a third country may take place on condition that:

(4) Outside the scope of the transfers referred to in subsection (3), the Data Protection Agency may authorise a transfer of personal data to a third country which does not comply with the provisions laid down in subsection (1), where the controller adduces adequate safeguards with respect to the protection of the rights of the data subject. More detailed conditions may be laid down for the transfer. The Data Protection Agency shall inform the European Commission and the other Member States of the authorisations that it grants pursuant to this provision.

(5) The rules laid down in this Act shall otherwise apply to transfers of personal data to third countries in accordance with subsections (1), (3) and (4).

Title III

The data subject’s rights

Part 8

Information to be provided to the data subject

28. – (1)Where the personal data have been obtained from the data subject, the controller or his representative shall provide the data subject with the following information:

(2) The provisions of subsection (1) shall not apply where the data subject already has the information mentioned in paragraphs 1 to 3.

29. - (1) Where the data have not been obtained from the data subject, the controller or his representative shall at the time of undertaking the recording of the data, or where disclosure to a third party is envisaged, no later than the time when the data are disclosed, provide the data subject with the following information:

(2) The rules laid down in subsection (1) shall not apply where the data subject already has the information referred to in paragraphs 1 to 3 or if recording or disclosure is expressly laid down by law or regulations.

(3) The rules laid down in subsection (1) shall not apply where the provision of such information to the data subject proves impossible or would involve a disproportionate effort.

30. – (1) Section 28 (1) and section 29 (1) shall not apply if the data subject’s interest in obtaining this information is found to be overridden by vital private interests, including the interests of the subject data himself.

(2) Derogations from section 28 (1) and section 29 (1) may also take place if the data subject’s interest in obtaining this information is found to be overridden by vital public interests, including in particular:

Part 9

The data subject’s right of access to personal data

31. – (1) Where a person submits a request to that effect, the controller shall inform him whether or not data relating to him are being processed. Where such data are being processed, communication to him shall take place in an intelligible form about:

(2) The controller shall reply to requests as referred to in subsection (1) without delay. If the request has not been replied to within 4 weeks from receipt of the request, the controller shall inform the person in question of the grounds for this and of the time at which the decision can be expected to be available.

32. – (1) Section 30 shall be correspondingly applicable.

(2) Data which are processed on behalf of the public administration in the course of its administrative procedures may be exempted from the right of access to the same extent as under the rules of section 2, sections 7 to 11 and section 14 of the Act on Public Access to Documents in Administrative Files

(3) The right of access shall not apply to data processed on behalf of the courts where the data form part of a text which is not available in its final form. This shall, however, not apply where the data have been disclosed to a third party. There is no right of access to the records of considerations of verdicts or to any other court records of the deliberations of the court or material prepared by the courts for the purpose of such deliberations.

(4) Section 31 (1) shall not apply where data are processed solely for scientific purposes or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.

(5) As regards processing of data in the area of criminal law carried out on behalf of the public administration, the Minister of Justice may lay down exemptions from the right of access under section 31 (1) in so far as the provision of section 32 (1), cf. section 30, is assumed to result in requests for rights of access in general being turned down.

33.A data subject who has received a communication in accordance with section 31 (1) shall not be entitled to a new communication until 6 months after the last communication, unless he can prove that he has a specific interest to that effect.

34. – (1) Communication in accordance with section 31 (1) shall be in writing, if requested. In cases where the interests of the data subject speak in favour thereof, the communication may, however, be given in the form of oral information about the contents of the data.

(2) The Minister of Justice may lay down rules for payment of a fee for communications which are given in writing by private companies, etc.

Part 10

Other rights

35. - (1) A data subject may at any time object in relation to the controller to the processing of data relating to him.

(2) Where the objection under subsection (1) is justified, the processing may no longer involve those data.

36. - (1) If a data subject objects, a company may not disclose data relating to that person to a third company for the purposes of marketing or use the data on behalf of a third company for such purposes.

(2) Before a company discloses data concerning a consumer to a third company for the purposes of marketing or uses the data on behalf of a third company for such purposes, it must check in the CPR-register whether the consumer has filed a statement to the effect that he does not want to be contacted for the purpose of marketing activities. Before data relating to a consumer who has not given such information to the CPR-register are disclosed or used as mentioned in the first clause of this subsection, the company shall provide information about the right to object under subsection (1) in a clear and intelligible manner. At the same time, the consumer shall be given access to object in a simple manner within a period of two weeks. The data may not be disclosed until the time limit for objecting has expired.

(3) Contacts to consumers under subsection (2) shall otherwise take place in accordance with the rules laid down in section 6 (a) of the Danish Marketing Act and rules issued by virtue of section 6 (a) (6) of the Danish Marketing Act.

(4) The company may not demand any payment of fees in connection with objections.

37. - (1) The controller shall at the request of the data subject rectify, erase or block data which turn out to be inaccurate or misleading or in any other way processed in violation of law or regulations.

(2) The controller shall at the request of the data subject notify the third party to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with subsection (1). However, this shall not apply if such notification proves impossible or involves a disproportionate effort.

38. The data subject may withdraw his consent.

39. - (1) Where the data subject objects, the controller may not make him subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects.

(2) The provision laid down in subsection (1) shall not apply if that decision:

(3) The data subject has a right to be informed by the controller as soon as possible and without undue delay about the rules on which a decision as mentioned in subsection (1) is based. Section 30 shall be correspondingly applicable.

40. The data subject may file a complaint to the appropriate supervisory authority concerning the processing of data relating to him.

Title IV

Security

Part 11

 Security of processing

41. - (1) Individuals, companies etc. performing work for the controller or the processor and who have access to data may process these only on instructions from the controller unless otherwise provided by law or regulations.

(2) The instruction mentioned in subsection (1) may not restrict journalistic freedom or impede the production of an artistic or literary product.

(3) The controller shall implement appropriate technical and organisational security measures to protect data against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure, abuse or other processing in violation of the provisions laid down in this Act. The same shall apply to processors.

(4) As regards data which are processed for the public administration and which are of special interest to foreign powers, measures shall be taken to ensure that they can be disposed of or destroyed in the event of war or similar conditions.

(5) The Minister of Justice may lay down more detailed rules concerning the security measures mentioned in subsection (3).

42. - (1)Where a controller leaves the processing of data to a processor, the controller shall make sure that the processor is in a position to implement the technical and organisational security measures mentioned in section 41 (3) to (5), and shall ensure compliance with those measures.

(2) The carrying out of processing by way of a processor shall be governed by a written contract between the parties. This contract shall stipulate that the processor shall act only on instructions from the controller and that the rules laid down in section 41 (3) to (5) shall also apply to processing by way of a processor. If the processor is established in a different Member State, the contract shall stipulate that the provisions on security measures laid down by the law in the Member State in which the processor is established shall also be incumbent on the processor.

Title V

Notification

Part 12

Notification of processing carried out for a public administration

43. - (1) The controller or his representative shall notify the Data Protection Agency before processing of data is carried out on behalf of the public administration, cf., however, section 44. The controller may authorise other authorities or private bodies to make such notifications on his behalf.

(2) The notification shall include the following information:

44. - (1) Processing operations which do not cover data of a confidential nature shall be exempt from the rules laid down in section 43, cf., however, subsection (2). Such processing may further without notification include identification data, including civil registration numbers, and data concerning payments to and from public authorities, unless it is a matter of processing as mentioned in section 45 (1).

(2) The Minister of Justice shall lay down more detailed rules on the categories of processing operations mentioned in subsection (1).

(3) Processing whose sole purpose is the keeping of a register which according to law or regulations is intended to provide information to the public in general and which is open to public consultation shall also be exempt from the rules laid down in section 43.

(4) The Minister of Justice may lay down rules to the effect that certain categories of processing of data shall be exempt from the provisions laid down in section 43. This shall, however, not apply to the categories of processing mentioned in section 45 (1).

45. - (1)Before processing operations covered by the obligation to notify in section 43 are carried out, the opinion of the Danish Data Protection Agency shall be obtained where:

(2) The Minister of Justice may lay down rules to the effect that the opinion of the Agency shall be obtained prior to the start of any other processing operations than those mentioned in subsection (1).

46. - (1) Changes in the information mentioned in section 43 (2) shall be notified to the Agency prior to being implemented. Less important changes may be notified subsequently, but not more than 4 weeks after the implementation.

(2) The opinion of the Agency shall be obtained prior to the implementation of changes in the information mentioned in section 43 (2) contained in notifications of processing operations covered by section 45 (1) or (2). Less important changes shall only be notified. Notification may take place subsequently, but not more than 4 weeks after the implementation.

47. - (1) In cases where the data protection responsibility has been delegated to a subordinate authority and the Agency cannot approve the carrying out of a processing operation, the matter shall be brought before the competent Minister who shall decide the matter.

(2) If the Agency cannot authorise the carrying out of a processing operation on behalf of a municipal or county authority, the matter shall be brought before the Minister of the Interior who shall decide the matter.

Part 13

Notification of processing operations carried out on behalf of a private controller

48. - (1) Prior to the commencement of any processing of data which is carried out on behalf of a private controller, the controller or his representative shall notify the Danish Data Protection Agency, cf., however, section 49.

(2) The notification shall include the information mentioned in section 43 (2).

49. - (1) Processing of data shall, except in the cases mentioned in section 50 (2), be exempt from the rules laid down in section 48 where:

(2) The Minister of Justice shall lay down more detailed rules concerning the processing operations mentioned in subsection (1).

(3) The Minister of Justice may lay down rules to the effect that other types of processing operations shall be exempt from the provision laid down in section 48. However, this shall not apply to processing operations covered by section 50 (1) unless the processing operations are exempted under section 50 (3).

50. - (1) Prior to the commencement of any processing of data which is subject to the obligation to notify in section 48, the authorisation of the Data Protection Agency shall be obtained where:

(2) In the case of transfer of data as mentioned in subsection (1) to third countries by virtue of section 27 (1) and subsection (3) 2 to 4, the authorisation of the Data Protection Agency to such transfer shall be obtained, also if the processing is otherwise exempt from the obligation to notify by virtue of section 49 (1).

(3) The Minister of Justice may lay down exemptions from the provisions of subsection (1) 1 and subsection (2).

(4) The Minister of Justice may lay down rules to the effect that the authorisation of the Agency shall be obtained prior to the commencement of other processing operations subject to the obligation to notify than those mentioned in subsection (1) or subsection (2).

(5) The Agency may when granting an authorisation under subsection (1), subsection (2) or subsection (4) lay down more detailed conditions for the carrying out of the processing operations for reasons of the protection of the privacy of the data subjects.

51. - (1) Changes in the information mentioned in section 48 (2), cf. section 43 (2), shall be notified to the Agency prior to being implemented. Less important changes may be notified subsequently, but not more than 4 weeks after the implementation.

(2) The authorisation of the Agency shall be obtained prior to the implementation of changes in the information mentioned in section 48 (2), cf. section 43 (2), contained in notifications of processing operations covered by section 50 (1), (2) or (4). Less important changes shall only be notified. Notification may take place subsequently, but not more than 4 weeks after the implementation.

Part 14

Notification of processing operations carried out on behalf of the courts-of-law

52. The rules laid down in sections 43 to 46 shall apply to the notification to the Danish Court Administration of processing of data carried out on behalf of the courts-of-law.

Part 15

Miscellaneous provisions

53.  Processors established in Denmark and offering electronic processing services shall prior to the commencement of such processing operations notify the Data Protection Agency hereof.

54. - (1) The supervisory authority shall keep a register of processing operations notified under sections 43, 48 and 52. This register, which shall, as a minimum, contain the items of information mentioned in section 43 (2), shall be open to consultation by the general public.

(2) A controller shall make the information mentioned in section 43 (2) 1, 2 and 4 to 6 concerning the processing operations performed on his behalf available to any person who makes a request to this effect.

(3) The right of access of the general public to the register mentioned in subsection (1) and the information mentioned in subsection (2) may be restricted to the extent that this is necessary for the prevention, detection and prosecution of criminal offences, or where required for the protection of vital private interests.

Title VI

Supervision and final provisions

Part 16

The Data Protection Agency

55. - (1) The Data Protection Agency, which consists of a Council and a Secretariat, is responsible for the supervision of all processing operations covered by this Act, cf., however part 17.

(2) The day-to-day business is attended to by the Secretariat, headed by a Director.

(3) The Council, which shall be set up by the Minister of Justice, is composed of a chairman, who shall be a legally qualified judge, and of six other members. Substitutes may be appointed for the members of the Council. The members and their substitutes shall be appointed for a term of 4 years.

(4) The Council shall lay down its own rules of procedure and detailed rules on the division of work between the Council and the Secretariat.

56. The Data Protection Agency shall act with complete independence in executing the functions entrusted to it.

57. The opinion of the Data Protection Agency shall be obtained when Orders, Circulars or similar general regulations of importance for the protection of privacy in connection with the processing of data are to be drawn up.

58. – (1) The Data Protection Agency shall supervise, on its own initiative or acting on a complaint from a data subject, that the processing is carried out in compliance with the provisions of this Act and any rules issued by virtue of this Act.

(2) The Data Protection Agency may at any time revoke a decision made in accordance with section 27 (4) or section 50 (2), cf. section 27 (1) or (3) 2 to 4, if the European Commission decides that transfer of data to specific third countries may not take place or that such transfers may lawfully take place. This, however, shall only apply where the revocation is necessary in order to comply with the decision of the Commission.

59. – (1) The Data Protection Agency may order a private data controller to discontinue a pro-cessing operation which may not take place under this Act and to rectify, erase or block specific data undergoing such processing.

(2) The Data Protection Agency may prohibit a private data controller from using a specified procedure in connection with the processing of data if the Data Protection Agency finds that the procedure in question involves a considerable risk that data are processed in violation of this Act.

(3) The Data Protection Agency may order a private data controller to implement specific technical and organisational security measures to protect data which may not be processed against processing, and to protect data against accidental or unlawful destruction or accidental loss, alteration, and disclosure to any unauthorised person, abuse or any other unlawful forms of processing.

(4) The Data Protection Agency may in special cases issue a prohibitory or mandatory injunction against data processors, cf. subsections (1) to (3).

60.  – (1) The Data Protection Agency shall make decisions in relation to the relevant authority in cases concerning section 7 (7), section 9 (3), section 10 (3), section 13 (1), section 27 (4), sections 28 to31, section 32 (1), (2) and (4), sections 33 to 37, section 39 and section 58 (2).

(2) In other cases, the Data Protection Agency shall give opinions to the authority acting as controller.

61. No appeals may be brought before any other administrative authority against the decisions made by the Data Protection Agency under the provisions of this Act.

62. –  (1) The Data Protection Agency may require to be furnished with any information of importance to its activities, including for the decision as to whether or not a particular matter falls under the provisions of this Act.

(2) The members and the staff of the Data Protection Agency shall at any time, against appropriate proof of identity and without any court order, have access to all premises from which processing operations carried out on behalf of the public administration are administered, or from which there is access to the data subject to processing, and to all premises where data or technical equipment are stored or used.

(3) Subsection (2) shall apply correspondingly as regards processing operations carried out on behalf of private data controllers to the extent that such processing is covered by section 50.

(4) Subsection (2) shall also apply to processing operations carried out by processors as referred to in section 53.

63. – (1) The Data Protection Agency may decide that notifications and applications for authorisations under the provisions of this Act and any changes therein may or shall be submitted in a specified manner.

(2) An amount of DKK 1,000 shall be payable in connection with the submission of the following notifications and applications for authorisations under this Act:

(3) Notifications as referred to in subsection (2) 1 and 3 shall be deemed to have been submitted only when payment has been effected. The Data Protection Agency may decide that authorisations as referred to in subsection (2) 2 shall not be granted until payment has been effected.

(4) The provisions of subsection (2) 1 and 2 do not apply to processing of data which takes place exclusively for scientific or statistical purposes.

(5) Where a processing operation shall both be notified under section 48 and authorised under section 50, only a single fee shall be payable.

64. – (1) The Data Protection Agency may, on its own initiative or at the request of another Member State, check that a processing operation of data taking place in Denmark is lawful, irrespective of whether or not the processing operation is governed by the legislation of another Member State. The provisions laid down in sections 59 and 62 shall be correspondingly applicable.

(2) The Data Protection Agency may further disclose data to supervisory authorities in other Member States to the extent that this is required in order to ensure compliance with the provisions of this Act or those of the data protection legislation of the Member State concerned.

65. The Data Protection Agency shall submit an annual report on its activities to the Folketing (the Danish Parliament). The report shall be made public. The Data Protection Agency may also make its opinions accessible to the general public. Section 30 shall be correspondingly applicable.

66. The Data Protection Agency and the Danish Court Administration shall co-operate to the extent required to fulfil their obligations, particularly through the exchange of all relevant data.

Part 17

Supervision of the courts

67. – (1) The Danish Court Administration shall supervise the processing of data carried out on behalf of the courts.

(2) Such supervision shall include the processing of data as regards the administrative affairs of the courts.

(3) As regards other processing of personal data, the decision shall be taken by the competent court. Such decisions may be appealed against to a higher court. As regards special courts or tribunals whose decisions cannot be appealed against to a higher court, decisions as referred to in clause 1 of this subsection may be appealed against to the division of the High Court within whose jurisdiction the court or tribunal is situated. The period allowed for appeal is 4 weeks from the date on which the individual concerned has been notified of the decision.

68. – (1) The provisions of sections 56 and 58, section 62 (1), (2) and (4), section 63 (1) and section 66 shall apply to the exercise by the Danish Court Administration of its supervision under section 67. The decisions of the Danish Court Administration are final and conclusive.

(2) The opinion of the Danish Court Administration shall be obtained when Orders or similar general legal regulations of importance for the protection of privacy in connection with the processing of data carried out for the courts are to be drawn up.

(3) The Danish Court Administration shall publish an annual report on its activities.

Part 18

Liability in damages and criminal liability

69. The controller shall compensate any damage caused by the processing of data in violation of the provisions of this Act unless it is established that such damage could not have been averted through the diligence and care required in connection with the processing of data.

70. -  (1) In the absence of more severe punishment being prescribed under other legislation, any person who commits any of the following offences in connection with processing carried out on behalf of private individuals or bodies shall be liable to a fine or detention:

(2) In the absence of more severe punishment being prescribed under other legislation, any person who in connection with a processing operation carried out on behalf of public authorities violates section 41 (3) or section 53 or fails to comply with conditions as referred to in section 7 (7), section 9 (3), section 10 (3), section 13 (1), section 27 (4) or any other terms or conditions for an authorisation in accordance with rules issued by virtue of this Act shall be liable to a fine or detention.

(3) In the absence of more severe punishment being prescribed under other legislation, any person who in connection with a processing operation governed by another Member State’s legislation fails to comply with the decisions of the Data Protection Agency under section 59 or to fulfil the requirements of the Data Protection Agency under section 62 (1), or obstructs the Data Protection Agency’s right of access under section 62 (3) and (4) shall be liable to a fine or detention.

(4) Any rules issued by virtue of this Act may stipulate punishment in the form of a fine or detention.

(5) Criminal liability may be imposed on companies, etc. (legal persons) pursuant to the rules laid down in Part 5 of the Danish Penal Code.

71.  Any person who carries on business or is engaged in business activities as referred to in section 50 (1) 2 to 5 or section 53 may on conviction of a criminal offence be deprived of the right to carry on such business activities provided that the offence committed gives reasonable ground to fears of abuse. Section 79 (3) and (4) shall also apply.

Part 19

Final provisions, including commencement provisions, etc.

72. The competent minister may in special cases lay down more detailed rules for processing operations carried out on behalf of the public administration.

73. The Minister of Justice may lay down more detailed rules concerning certain categories of processing operations carried out on behalf of private controllers, including rules to the effect that specific categories of data may not be processed.

74. Trade associations and other bodies representing other categories of private controllers may in co-operation with the Data Protection Agency draw up codes of conduct intended to contri-bute to the proper implementation of the rules laid down in this Act.

75. The Minister of Justice may lay down the rules which are necessary for the implementation of decisions issued by the European Community with a view to implementation of the Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, or rules which are necessary for the application of legal acts issued by the Community in the field covered by the Directive.

76. - (1) This Act shall come into operation on 1 July 2000.

(2) The Public Authorities’ Registers Act, cf. Consolidation Act No. 654 of 20 September 1991, and the Private Registers, etc. Act, cf. Consolidation Act No. 622 of 2 October 1987 are hereby abolished.

(3) The members of the Register Council shall step in as members of the Data Protection Council until the Minister of Justice has appointed the members of the Data Protection Council.

(4) Order No. 160 of 20 April 1979 on the rules of procedure of the Register Council, etc. shall apply to the activities of the Data Protection Agency until they are abolished or replaced by rules issued by virtue of this Act.

(5) Decree No. 73 of 5 March 1979 which provides that regulations for registers, etc. drawn up by virtue of the Public Authorities’ Registers Act shall not be published in the Law Gazette is hereby abolished.

(6) Complaints or control cases filed before 24 October 1998 shall be dealt with in accordance with the rules applying until now. The Data Protection Agency shall exercise the powers vested in the Data Surveillance Authority under these rules.

(7) The Data Protection Agency shall otherwise perform the tasks which are according to the legislation performed by the Data Surveillance Authority.

77. - (1) As regards processing operations carried out on behalf of private individuals or bodies and which were commenced before 24 October 1998, the rules laid down in Part 13 shall be implemented by 1 October 2000 at the latest.

(2) As regards processing operations carried out on behalf of public authorities and which were commenced before 24 October 1998, the rules laid down in Parts 12 and 14 shall be implemented by 1 April 2001 at the latest.

(3) Processing operations commenced before 24 October 1998 may continue without authorisation for 16 weeks after the coming into operation of this Act if authorisation is required under the rules laid down in Title II or the provision laid down in subsection (7).

(4) Processing operations commenced on 24 October 1998 or later, but before the coming into operation of this Act, may continue without prior notification, opinion or authorisation for 16 weeks after the coming into operation of this Act.

(5) Notification according to the provision laid down in section 53 shall take place within 16 weeks after the coming into operation of this Act.

(6) The Minister of Justice may lay down rules concerning prolongation of the time limit mentioned in subsections (1) and (2).

(7) The Supervisory Authority may in exceptional cases and on application decide that processing operations commenced before the coming into operation of this Act may continue, irrespective of the rules on processing laid down in Title II.

78. - (1) Processing operations which have been notified before the coming into operation of this Act under section 2 (3) second clause of the Private Registers, etc. Act may continue until 1 October 2001 in accordance with the rules applying until now. The Data Protection Agency shall exercise the powers vested in the Data Surveillance Authority.

(2) Processing operations as mentioned in subsection (1) shall comply with sections 5, 41 and 42 of the Act. As regards such operations, the data subject may demand rectification, erasure or blocking of data which are inaccurate or misleading or which are stored in a way which is incompatible with the legitimate purposes pursued by the controller. The Data Protection Agency shall carry out inspection under the rules laid down in Part 16 of this Act.

79. Consent which has been given in accordance with the rules applying until now shall apply to processing operations carried out after the coming into operation of this Act if the consent satisfies the requirements laid down in paragraph 8 of section 3 of this Act, cf. paragraph 1 of section 6, paragraph 1 of section 7 (2), paragraphs 2 to 5 of section 8, paragraph 2 of section 11 (2) or subsection (3) or paragraph 1 of section 27 (3).

80. Act No. 572 of 19 December 1985 on public administration, as amended by Act No. 276 of 13 May 1998, shall be amended as follows:

1. Section 5 (3) shall read as follows:

"(3) The competent minister may lay down rules on public access to be informed of registers as mentioned in subsection (2) which are not covered by the Act on the processing of personal data. In this connection rules on the payment of a fee may be laid down."

81. Act No. 430 of 1 June 1994 on information data bases operated by the mass media shall be amended as follows:

1. In section 3, subsections (1) and (3), and section 6 (1) the term "Data Surveillance Authority" shall be replaced by "Data Protection Agency".

2. The following provision shall be inserted as a new section 11 a:

"11 a. The necessary security measures shall be taken to prevent data in information data bases accessible by the general public from being altered by unauthorised persons."

3. Paragraph 1 of section 16 (1) shall read as follows:

"1. violates sections 4, 5, 7, 8 (1), paragraphs 2 and 3 of section 9, section 11 (1) and (3) or section 11 a."

4. Section 17 shall read as follows:

"17 - (1) A mass media shall compensate any damage caused by a processing operation in violation of the rules laid down in this Act unless it is proven that the damage could not have been averted by the diligence and care which can reasonably be required in connection with processing of data. The general rules of the law of tort and compensation shall be applicable.

(2) The general rules of law on criminal liability shall be applicable in cases covered by this Act.

(3) Criminal liability under the rules laid down in Part 5 of the Penal Code may be imposed upon companies and similar bodies (legal persons)."

82.  The Danish Land Registration Act, cf. Consolidation Act No. 622 of 15 September 1986, as amended most recently by section 2 of Act No. 1019 of 23 December 1998, shall be amended as follows:

1. In section 50 d (1) the term "Data Surveillance Authority" shall be replaced by "Danish Court Administration".

2. Section 50 d (2) and (3) shall read as follows:

"(2) The Danish Court Administration shall carry out inspection of registers of land charges, etc. under the Act. No appeal can be brought against the decisions of the Court Administration.

(3) The Minister of Justice shall lay down more detailed rules about this inspection in consultation with the Danish Court Administration."

83.  This Act shall not extend to the Faroe Islands, but may by Royal Decree be given effect for the processing of data by the constitutional authorities subject to any deviations following from the special conditions in the Faroe Islands. Nor shall this Act extend to Greenland, but may by Royal Decree be given effect subject to any deviations following from the special conditions in Greenland.

Given at Christiansborg Castle, 31 May 2000

Under our Royal Hand and Seal

MARGRETHE R.

/FRANK JENSEN    


[1] This Act implements Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal of the European Communities 1995 L. 281, page 31 ff.).

__________________

Ministry of Justice, file. no. 1997-760-0464