|
DENMARK
The Danish Data Protection Agency website:
http://www.datatilsynet.dk/english/
The Act on
Processing of Personal Data (Act No 429 of 31 May 2000 as amended by
Act No 280 of 25 April 2001, Act No 552 of 24 June 2005 and Act No
519 of 6 June 2007):
http://www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/
What needs to be
done prior to collection?
NOTIFY THE DATA
PROTECTION AGENCY
Section 48 –
Notification
(1)
Prior to the commencement of any processing of data which is carried
out on behalf of a private controller, the controller or his
representative must notify the Danish Data Protection Agency, cf.,
however Section 49.
(2)
The
notification must include the information mentioned in Section 43
(2)
Section 43 -
Information to be included
-
The name and
address of the controller and of his representative, if any, and
of the processor, if any;
-
the category
of processing and its purpose;
-
A general
description of the processing;
-
A description
of the categories of data subjects and of the categories of data
relating to them;
-
The
recipients or categories of recipient to whom the data may be
disclosed;
-
Intended
transfers of data to third countries;
-
A general
description of the measures to be taken to ensure security of
processing;
-
The date of
the commencement of the processing;
-
The date of
the erasure of the data
Changes in the
information shall be notified to the Agency prior to being
implemented. Less important changes may be notified subsequently, at
the latest 4 weeks after implementation.
Section 49 –
Exemptions from Section 48
(1)
Processing of data shall, except in the cases mentioned in Section
50 (2),
be exempt from the rules laid down in Section 48 where:
a.
The
processing relates to data about employees, to the extent that the
processing does not include data as mentioned in Section 7 (1)
and Section 8 (4);
or
b.
The
processing relates to data concerning the health of employees, to
the extend that the processing of health data is necessary to comply
with provisions laid down by law or regulations; or
c.
The
processing relates to data concerning employees if registration is
necessary under collective agreements or other agreements on the
labour market; or
d.
The
processing relates to data concerning customers, suppliers or other
business relations, to the extent that the processing does not
include data as mentioned in Section 7 (1) and Section 8 (4), or to
the extent that it is not a matter of processing operations as
mentioned in Section 50 (1); or
e.
The
processing is carried out for the purpose of market surveys, to the
extent that the processing does not include data as mentioned in
Section 7 (1) and Section 8 (4); or
f.
The
processing is carried out by an association or similar body, to the
extent that only data concerning the members of the association are
processed; or
g.
The
processing is carried out by lawyers or accountants in the course
of business to the extent that only data concerning client matters
are processed; or
h.
The
processing is carried out by doctors, nurses, dentists, dentist
technicians, chemists, therapists, chiropractors and other persons
authorised to exercise professional activities in the health sector,
to the extent that the data are used solely for these activities and
the processing of data is not carried out on behalf of a private
hospital; or
i.
The
processing is carried out for the purpose of being used by an
occupational health service
(2)
The
Minister of Justice shall lay down more detailed rules concerning
the processing operations mentioned in subsection (1)
CONTACT THE DATA
SUBJECT
Section 28 –
Information to be given to the data subject
(1)
Where the personal data have been collected from the data subject,
the controller or his representative shall provide the data subject
with the following information:
a)
The
identity of the controller and of his representative;
b)
The
purposes of the processing for which the data are intended;
c)
Any
further information which is necessary, having regard to the
specific circumstances in which the personal data are collected, to
enable to data subject to safeguard his interests, such as:
i.
The
categories of recipient
ii.
Whether
replies to the questions are obligatory or voluntary, as well as
possible consequences of failure to reply
iii.
The
rules on the right of access to and the right to rectify the data
relating to the data subject
(2) The
provisions of subsection (1) shall not apply where the data subject
already has the information mentioned in paragraphs a to c
Section 29 –
Information to be give to the data subject
(1)
Where the data have not been obtained from the data subject, the
controller or his representative shall at the time of undertaking
the registration of the data, or where disclosure to a third party
is envisaged, no later than the time when the data are disclosed,
provide the data subject with the following information:
a.
The
identity of the controller and of his representative;
b.
The
purposes of the processing for which the data are intended;
c.
Any
further information which is necessary, having regard to the
specific circumstances in which the personal data are collected, to
enable to data subject to safeguard his interests, such as:
i.
The
categories of data concerned
ii.
The
categories of recipient
iii.
The
rules on the right of access to and the right to rectify the data
relating to the data subject
(2)
The
rules laid down in subsection (1) shall not apply where the data
subject already has the information referred to in paragraphs a to c
or if recording or disclosure is expressly laid down by law or
regulations
(3)
The
rules laid down in subsection (1) shall not apply where the
provisions of such information to the data subject proves impossible
or would involve a disproportionate effort
Section 30 – When
Sections 28 and 29 do not apply
(1)
Section 28 (1) and Section 29 (1) shall not apply if the data
subject’s interest in obtaining this information is found to be
overridden by essential considerations of private interests,
including the consideration for the data subject himself
(2)
Derogations from Section 28 (1) and Section 29 (1) may also take
place if the data subject’s interest in obtaining this information
is found to be overridden by essential considerations of public
interests, including in particular:
a.
National Security;
b.
Defence;
c.
Public Security;
d.
The
prevention, investigation, detection and prosecution of criminal
offences or of breaches of ethics for regulated professions;
e.
Important economic or financial interests of a Member State or of
the European Union, including monetary, budgetary and taxation
matters; and
f.
Monitoring, Inspection or Regulatory functions, including temporary
tasks, connected with the exercise of official authority in cases
referred to in paragraphs c to e
What needs to be
done prior to shipping?
Section 27 –
Transfer of personal data to third countries
(1)
Transfer of data to a third country may take place only if the third
country in question ensures an adequate level of protection, cf.
however subsection 3
(2)
The
adequacy of the level of protection afforded by a third country
shall be assessed in the light of all the circumstances surrounding
a data transfer operation, in particular the nature of the data, the
purpose and duration of the processing operation, the country of
origin and country of final destination, the rules of law in force
in the third country in question and the professional rules and
security measures which are complied with in that country
(3)
In
addition to the cases mentioned in subsection (1), transfer of data
to a third country may take place if:
a.
The
data subject has given his explicit consent; or
b.
The
transfer is necessary for the performance of a contract between the
data subject and the controller or the implementation of
pre-contractual measures taken in response to the data subject’s
request; or
c.
The
transfer is necessary for the conclusion or performance of a
contract concluded in the interest of the data subject between the
controller and a third party; or
d.
The
transfer is necessary or legally required on important public
interest grounds, or for the establishment, exercise or defence of
legal claims; or
e.
The
transfer is necessary in order to protect the vital interests of the
data subject; or
f.
The
transfer is made from a register which according to law or
regulations is open to consultation either by the public in general
or by any person who can demonstrate legitimate interests, to the
extent that the conditions laid down in law for consultation are
fulfilled in the particular case; or
g.
The
transfer is necessary for the prevention, investigation and
prosecution of criminal offences and the execution of sentences or
the protection of persons charged, witnesses or other persons in
criminal proceedings; or
h.
The
transfer is necessary to safeguard public security, the defence of
the Realm, or national security
(4)
Outside the scope of the transfers referred to in subsection (3),
the Data Protection Agency may authorise a transfer of personal data
to a third country which does not fulfil the provisions laid down in
subsection (1), where the controller adduces adequate safeguards
with respect to the protection of the rights of the data subject.
Specific conditions may be laid down for the transfer. The Data
Protection Agency shall inform the European Commission and the other
Member States of the authorisations granted pursuant to this
provision.
(5)
The
rules laid down in this Act shall otherwise apply to transfers of
personal data to third countries in accordance with subsections (1),
(3) and (4)
What are the
sanctions for non-compliance?
Section 70
In the absence of
more severe penalties being prescribed under other legislation, any
person who commits any of the following offences in connection with
processing carried out on behalf of private individuals or bodies
shall be liable to a fine or prison of up to 4 months.
This includes
breach of; Section 27, Section 28, Section 29 and Section 48
Please refer to
the Danish Data Protection Agency Website for more information on
the Statute.
|
