New EU rules on personal data finally adopted

The new rules on personal data have just been finally adopted by the EU. The rules will have major consequences for Danish businesses and authorities that in future will have to comply with more rigorous requirements applying to the handling of personal data.

One of the most far-reaching sets of rules in the EU was finally adopted on 14 April 2016 when the European Parliament as the last authority passed the Data Protection Regulation. The new Data Protection Regulation introduces a number of new requirements that all businesses and authorities must have a clear overview of all personal data and what they are precisely used for, and must be able to prove themselves that they comply with the substance of the law.

The big difference is not merely the substance of the rules but that completely new rigorous requirements are made as to documentation and the penalties for not complying with the rules have become much more severe.

The Data Protection Regulation introduces significantly more severe penalties for not complying with the rules. Repeated violations of the rules may entail fines of up to 4% of the global turnover of a business.

Danish businesses are up to date

It is Plesner's experience that Danish businesses and authorities are already focusing extensively on how to comply with the new rules.

Organisations should address four areas:
  • Firstly, a great deal of work is involved in getting an overview of all personal data in the organisation.
  • It is then to be assessed whether such data is collected, used, shared and deleted in accordance with the Data Protection Regulation.
  • Finally, a system is to be set up in order to be able to prove to the authorities in future that the rules are observed. This concerns not only general security requirements but all rules in the Data Protection Regulation. For instance, a system must be in place to ensure and prove that there is a legal basis for collecting personal data.
  • At the same time it is crucial to ensure that the business has the right competences, both if it is comprised by the group of businesses and authorities that are to have a Data Protection Officer (DPO) and if it is to use internal resources to implement the Data Protection Regulation.

Deadline in the summer of 2018

After more than four years of discussions the political agreement on the Data Protection Regulation was concluded in December 2015. The final formal adoption on 16 April 2016 also makes it possible to fix a deadline as to when Danish businesses and authorities must comply with the new rules, namely in slightly more than two years from now. The exact deadline formally runs from the date, expected to be within the next couple of weeks, when the Data Protection Regulation is published in the Official Journal of the European Union plus 2 years and 20 days.

Plesner strongly recommends not to wait but to take the first steps now. Handled correctly, the implementation of the regulation is not just an expense but can also be a valuable tool for the organisation.

Public authorities are to have a special data controller

One of the key steps in the Data Protection Regulation is the requirement that all public authorities, and some businesses, must employ a special data controller, a so-called Data Protection Officer (DPO).

In future, the authorities are to have a person who will enjoy special employment protection and will be given a number of central tasks, for instance to ensure that the rules are being observed. At the moment, public authorities are focusing on getting this task under control.


The most important innovations in the Data Protection Regulation:
  • a risk-based requirement that the business/authority must be able to prove compliance with the rules (accountability)
  • more rigorous requirements as to the documentation of consent
  • a strengthening of the data subject's rights
  • risk-based requirements as to privacy by design and privacy by default
  • a duty to inform the Danish Data Protection Agency and in some situations also the data subjects in case of data security failure (hacker attacks etc)
  • providers of social media and other information services are to obtain the consent of parents to process information about children under the age of 16. the Member States may choose to lower the age to 13.
  • public authorities and certain private businesses are to have Data Protection Officers (DPOs)
  • a new "one-stop-shop" for groups of companies set up in several Member States, making it easier for them to know which data protection agency that is competent to enforce the rules. But also a number of competences to determine special national rules.
  • right-to-be-forgotten
  • fines of up to 4% of annual global turnover

Latest news on Data Protection Law

Data Protection Law