Data protection law

While the most important rules on the area are derived from the EU,  Denmark also has a number of special rules implemented. Examples include special rules on civil registration numbers, information about criminal records, other information of a purely private nature, and data processing in the context of credit rating activities. For many industries there will also be special statutory rules to be observed. 

Our specialists advise on all legal aspects of data protection law in all industries, including the financial sector, the research and health sector and the telecom industry, and we have reinforced and expanded our skills and advice on data protection law quite substantially in recent years. With our many experienced and skilled attorneys and assistant attorneys, Kromann Reumert therefore ranks among the leading Danish law firms within this field.

Here are some typical examples of data protection issues that we advise clients on: 

• Data transfers into central corporate databases
• Data transfers to countries outside the EU, including in connection with outsourcing
• Drafting and implementation of binding corporate rules
• Setting up whistleblower schemes
• Processing of information in anti-corruption initiatives and investigations
• Processing of special types of data, e.g. credit data, customer data, health information, and employee data
• Collection and processing of data in the pharmaceutical industry, e.g. in conducting clinical trials
• Data protection issues in relation to M&As and bankruptcies
• Drafting privacy policies
• The rights of data subjects, including right of access to data
• Technical and organisational safety requirements
• Applications, approvals and complaints in relation to regulatory authorities.

We can help both in the obtaining of data processing permits, with enquiries and with complaints or supervisory proceedings in all of the areas listed above. 

But the areas for which there are special regulations in place as described above are not the only ones to look out for. Also general data protection requirements will frequently require attention. Those requirements are the ones that impact the greatest number of companies, and we therefore also have extensive experience advising on them. 

Areas include:

• Use of data processors
• Security requirements and the handling of incidents
• Drafting privacy policies
• Use of video surveillance
• Sale of personal data in connection with a transfer of undertaking
• Staff data for administrative purposes.

Some of the issues come up in connection with other challenges. For example, in a transfer of undertaking it may be all-important whether the buyer will be able to access the customer files of the new company or will have to start over and collect the data anew. 

Other recommended points to consider 

A company’s public image may suffer tremendously if, for example, it is found to have used unlawful video surveillance and is criticised for it by authorities, employees or customers. Breaches of data security can be equally damaging and are often a critical point in many complaints and supervisory proceedings with with the Danish Data Protection Agency. Security incidents can become costly affairs and cause severe damage to a company’s image. 

We have advised on preventive measures in all manner of situations and have also stepped in for urgent crisis management when things have gone wrong.

Basis for data transfers

Transferring data to countries outside the EU is complicated business and will require, in most cases, the prior permission of the Danish Data Protection Agency. The permission may be based on EU model agreements, guaranteeing an adequate level of protection for the processing of data outside the EU, or any binding corporate rules the company may have implemented to govern the processing.

Choosing the right basis

We can advise you on what basis of transfer to choose. We will look at the pros and cons of each option, many of which will depend on the specific circumstances of each case, among other things:

How much data will be transferred, and how often?
Who are the parties involved?
What kind of information will be transferred?

Credit information, credit ratings, warning registers, etc.

The Act on Processing of Personal Data contains special regulations on processing of credit information, warning registers, etc., and there are also special rules to be observed by financial companies. Companies engaging in the obtaining or disclosing of credit information find themselves in a very complex area of regulation, and also the companies collecting and using the information need to be attentive of the special rules. 

We have in-depth experience with the rules and are able, therefore, to advise in detail about how to navigate and what to do to ensure a compliant and commercially viable processing of data.

Clinical trials, health information

Pharmaceutical companies engaging in clinical trials are subject to special rules and regulations, as are anyone active in the treatment of disease, i.e. hospitals, alternative therapists, other healthcare providers, etc.  

We serve as legal advisers to some of the biggest pharmaceutical companies in the world and have in-depth knowledge of the requirements to meet when applying for permission to conduct clinical trials and for subsequent monitoring of the pharmaceuticals. 

We are also thoroughly experienced in the special rules for treatments and processing under healthcare law, e.g. requirements for journals, patients’ consent, etc.