1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
Depending on the risk of the personal data breach ("breach"), both the supervisory authority and the affected individual(s) must be informed under the General Data Protection Regulation ("GDPR").
The controller is obligated to notify the supervisory authority about the breach, unless the controller is able to demonstrate, in accordance with the accountability principle under the GDPR, that the breach is unlikely to result in a risk to the rights and freedom of natural persons.
If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall also communicate the personal breach to the data subject, in order to allow him or her to take the necessary precautions.
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
The obligation to notify is triggered by the level of risk for the person(s) whose personal data has been breached, and not specifically the types of data involved in the breach, although the sensitivity of the data and the level of risk will often be related.
The duty of notification rests with the data controller or its representative, but the processor has the duty to inform the controller about any breaches.
The Danish Data Protection Act has issued a few restrictions of the right of data subjects. The obligation to notify the data subject in case of a breach does not apply if the data subject’s interest in the information is found to be overridden by essential considerations of private interests, including the consideration for the data subject himself. These derogations may also be allowed if the data subject’s interest in obtaining this information is found to be overridden by essential considerations of public interests, including e.g.
- national security,
- the defense
- public security
- the prevention, investigation, detection or prosecution of criminal offences or the enforcement of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Finally, the obligation to notify the data subject does not apply where the supply of such information may specifically be assumed to impede the investigation of criminal offences. This decision can only be made by the police.
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
In case of a breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority. Where the notification is not made within 72 hours it shall be accompanied by reasons for the delay.
The notification shall at least:
- describe the nature of the breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the breach;
- describe the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
When the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the beach to the data subject without undue delay. The communication shall describe in clear and plain language the nature of the breach and contain at least bullets 2, 3 and 4 as listed above.
The affected persons shall be contacted directly unless this would involve disproportionate effort. Examples of direct communication methods include email, SMS, direct message and postal communication.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
Infringement of the obligations to notify can be subject to administrative fines up to EUR 10,000,000 or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The fine can be combined with other corrective powers.
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
1.6 What are the applicable data protection laws or guidelines within your country?
The key legislation is the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and the Danish Act on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the Data Protection Act). In addition, the Danish Data Protection Agency has issued several guidelines regarding various data protection matters, e.g. on personal data breaches.
1.7 Contact information for Data Protection Authority:
Danish Data Protection Agency (Datatilsynet)
Carl Jacobsens Vej 35, DK-2500 Valby
+45 33 19 3200
+32 2 274 4835
For more information, contact:
Mikkel Friis Rossa or Charlotte Bagger Tranberg
Langelinie Allé 35, 2100 Copenhagen, Denmark
+45 72 27 3359 or +45 72 27 3476
+45 72 27 0027