Data protectioni Requirements for registration
The rules governing processing of personal data are set forth in the GDPR and the new supplementary Danish Act, the Data Protection Act, which was adopted on 17 May 2018.
There is no general obligation for companies operating in Denmark to register with the Danish authorities in relation to their processing of personal data.
Certain fundamental requirements applicable to all processing of personal data are provided in the GDPR as well as in the Act. In particular, the GDPR requires that the processing of personal data is conducted for an explicit and legitimate purpose, only to the extent required by that purpose, and that further processing must not take place in a manner incompatible with that purpose.
Another fundamental employer requirement is to provide certain information to the employees (or other data subjects, if relevant) in connection with the employer's collection of employee personal data (whether from the employee or a third party). The mandatory information set forth in the GDPR (Articles 13 and 14) is (1) the identity of the data controller; (2) the purpose of the data processing; and (3) any further information that is necessary, having regard to the specific circumstances in which the personal data is collected, to enable the data subject to safeguard his or her interests (e.g., the types of data collected, the recipients, if any, and any transfers outside the EEA).
These fundamental requirements must be satisfied regardless of any employee consent.
Under the GDPR, an employer is – as a general rule – permitted to process personal employee data to a usual and reasonable extent in connection with the employer's HR administration without obtaining employee consent. However, see below regarding sensitive data.
Access levels to personal data must, in principle, be limited to ensure that any access is given for a legitimate business purpose, namely on a need-to-know basis.
The data controller (typically the employer in the context of employee data) is required by the GDPR to implement appropriate technical and organisational security measures to protect data against accidental or unlawful destruction, loss or alteration, and against unauthorised disclosure, abuse or other processing in violation of the provisions laid down in the GDPR.
Infringement of data protection law may result in a number of different sanctions, such as agency orders, fines and an obligation to indemnify any damage suffered by the data subject (and others, if relevant) as a result of the infringement, along with criticism from the Data Protection Authority (DPA). As the maximum fine has been increased very significantly (the higher of 4 per cent of annual group turnover or €20 million), any company should be aware of the financial risks associated with GDPR violations. In our experience, however, the most detrimental (potential) consequence of any infringement is significant negative press coverage and bad will. The rulings of the DPA are usually published on the DPA's website, which is monitored by the press to a certain extent.ii Cross-border data transfers
Any processing of personal data must be conducted in accordance with the fundamental requirements of the GDPR, including cross-border transfers. Cross-border transfer within the EEA is subject to the normal rules on transfer of personal data in the GDPR. There is no requirement to register the transfer with the DPA.
Transfer of personal data outside the EEA is subject to special rules. The GDPR restricts transfer of data outside the EEA, unless the recipient is located in a geographic area approved by the European Commission, or if the data controller and processor has provided appropriate safeguards for protecting the personal data in question. According to Chapter 5 of the GDPR, the following three approaches are possible:
- Adequacy decisions: the European Commission is empowered to designate a country or a territory as providing an adequate level of data protection. According to the GDPR, transfer of personal data is allowed to a country or territory that has this 'adequacy decision'. The European Commission makes its decisions based on factors such as the rule of law and respect for human rights. An example of this decision is the EU–US Privacy Shield. The European Union and the United States have signed an agreement establishing the legal grounds for transferring personal data from European companies to recipients in the US. The new agreement, the EU–US Privacy Shield, replaced the Safe Harbour scheme. In brief, the new political agreement imposes more stringent obligations on US companies in connection with the processing of personal data transferred from the EU. In addition, it includes a possibility for increased enforcement by US authorities, who also intend to increase cooperation with European DPAs. The agreement was deemed adequate to enable data transfers under EU law by the EU Commission on 7 July 2016, and as of 1 August 2016, companies in the United States could certify their compliance with the EU–US Privacy Shield with the US Department of Commerce.
- Establishment of appropriate safeguards: the GDPR permits cross-border transfer of data, if the data controller or processor has provided the safeguards mentioned in Article 46 of the GDPR. This could be binding corporate rules, which define an intra-company policy certified by the relevant supervisory authority or standard contractual clauses comprising standard data protection clauses adopted by the European Commission. These contracts have a standard format.
- Specific derogations: Article 49 of the GDPR includes specific approaches that permit data transfer in the event of failing to utilise the mechanisms listed in points (a) and (b). For example, a data transfer can always take place with employee consent.
Generally, the legal basis for the processing of personal data depends on the type of data being processed – mainly, whether the data should be considered sensitive or not. According to the GDPR the term 'sensitive data' is no longer used, but the GDPR has instead introduced the term 'special categories of personal data' in Article 9. This category comprises genetic, biometric and health data as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions, or trade union membership. As a general rule, the processing of special categories of personal data requires prior employee consent or other legal grounds specifically mentioned in the GDPR.
Social security numbers and criminal records are not special categories of data according to the GDPR, which means that this information is subject to the general processing rules. However, according to the Danish Data Protection Act, these data categories require a higher level of security and are essentially covered by the same rules as the special categories of data.iv Background checks
Background checks are allowed as a general rule.
Some background checks, such as credit checks and criminal records checks, are permitted, subject to special requirements.
Credit checks are allowed with regard to employees in a position of trust or applicants applying for such positions (e.g., financial controllers, finance managers, key account managers or others with a certain financial responsibility and access to funds). The sole fact that a position involves access to funds does not imply that the position is considered a position of trust. As a general rule, credit checks require employee consent.
It is only permitted for the employer to collect information revealing criminal actions if the information is relevant to the position applied for by the applicant or undertaken by an existing employee, such as a crime committed for the sake of enrichment where the position applied for involves financial responsibility (e.g., a managing director, chief financial officer or financial controller). Private employers do not have access to public criminal records. Generally, access to such records requires written applicant or employee consent according to the Regulation on the Central Criminal Register.