Law on personal data

The law on personal data was a Danish law about the protection of personal information that has been replaced by the EU’s GDPR in 2018. The EU’s rules preceding this were a directive which are not legally binding for member states. Rather, it was up to individual states to adopt laws themselves. Denmark had the law on personal data that was adopted in 2000.

By establishing a regulation for the whole of the EU you guarantee uniform laws across all member states. It reduces bureaucracy for companies working in different member states. At the same time it has become more transparent for consumers to find out how their information is used.

The law on personal data and the GDPR

The law on personal data and the GDPR contain many identical elements. This is because they are based on a number of principles for good data handling practices, with the GDPR being somewhat stricter.

The stricter conditions for acquiring consent are a good example. Consent now has to be actively given which means that the use of already crossed boxes is no longer admissible. Furthermore, there are additional demands regarding information you have to provide when collecting personal data. When acquiring consent to collect sensitive data, you furthermore have to be given expressed consent. In other words, there can not be any doubt that the person giving consent has understood how the collected information is used.

Simultaneously, a number of new rights have been introduced. The EU has reaffirmed the right to remain anonymous and the right to be granted insight but the right of data portability has been newly introduced. Thereby, you can now demand to have your data delivered in a digital format in order to transfer it to a new data processor. For example between two banks. Before the regulation it was also possible to have your data deleted (in Denmark via the Datatilsynet) but today it has to be possible to do it at the respective company directly.

Privacy by design is another new element. Here, companies are required to include regards for personal data security into their design processes when developing new digital products. The demands for this are formulated relatively loosely, however.

Documentation requirements are the most essential new element. You now have to have agreements on data handling in place, adopted board decisions and developed directories of data handling activities. Fundamentally speaking, you have to prove that you work systematically and organized with regard to data protection. The data you own has to serve a purpose and be treated in accordance with that purpose.