Data subjects’ rights under Danish data protection law

Right of access

In contrast to the old rules, a data subject may request the right to access at reasonable intervals (the old six-month rule does not apply any longer). Also, no fee may be charged; however, for an additional request, a reasonable fee may be charged to cover administrative costs.

The Danish Data Protection Agency provides a template to comply with the right of access: https://www.datatilsynet.dk/media/6813/skabelon_til_en_aftale_vedroerende_faelles_dataansvar.docx (in Danish)

Derogation to the right of access

The DPA provides that there should be no right to access information, if essential considerations of private or public interests override the data subject’s interests (DPA Section 22(1)-(2)). Public interest includes: national security; defense; public security; the prevention, investigation, detection or prosecution of criminal offences; or the enforcement of criminal penalties.

However, only information that is actually subject to the private or public interest may be withheld from the data subject.

The rule will be relevant with respect to handling of whistleblowing reports, in which subject access requests may be denied, or regarding trade-secret protection.

Also, where the processing of data takes place exclusively for scientific or statistical purposes, an access request may be denied (DPA Section 22(6)).

General exemptions to data subject’s rights

Articles 15, 16, 18 and 21 of the GDPR shall not apply, if the processing of data takes place exclusively for scientific or statistical purposes (DPA Section 22(6)).