On 2 February 2016, the Data Protection Agency published the news that it is to set up a new supervisory entity. The supervisory entity is to conduct all the Data Protection Agency's planned supervisory controls and be responsible for the current supervision of any violations of the safety requirements laid down in the Danish Act on Processing of Personal Data (persondataloven).
Supervisory controls planned for 2016
In 2016, the supervisory entity will focus on selected topics among 50 public and private data controllers. The topics are selected on the basis of the Data Protection Agency's supervision strategy for 2016-2018 and will particularly focus on the actual processing of personal data. This applies to processing which, due to its scope or purpose, may involve a particular risk of infringement of the rights of data subjects as well as processing involving the use of new technology.
Among the public authorities, the 30 supervisory controls will focus on supervision of topics, such as detailed safety rules, the authority's own supervision, data processing agreements and the authority's internal controls of data processors.
Among the private data controllers, the 20 supervisory controls will focus on supervision of topics, such as compliance with the terms of the Data Protection Agency, data processing agreements and the business's internal controls of data processors.
The new initiative may be construed as one of the Data Protection Agency's efforts to become a more active and outward-looking supervisory authority which has also been contemplated by the future personal data protection regulation.
Authorities and private businesses which have not yet commenced work with data protection compliance often experience this to be a task difficult to grasp. Bech-Bruun has developed a special personal data pre-audit service for data controlling businesses and public authorities. A pre-audit will assess the current compliance level of any business or public authority relative to the rules of the Act on Processing of Personal Data. The pre-audit will be conducted, among other things, by way of interviews among key staff of the data controller and by reviews of key policies, agreements, reports and instructions.