When does the Data Protection Regulation apply?

This section gives an overview of which situations that are covered by the Data Protection Regulation and which situations that are typically excluded.

The Data Protection Regulation applies:

  • When citizens’ data are processed: The Data Protection Regulation applies when public authorities, private companies, associations etc. process data on natural persons. The concept of ‘natural person’ also includes sole proprietorships, since in practice it is not possible to distinguish between information about the owner as an individual and information about the company.
  • When the information is processed automatically or is entered in a register: When personal data are used in a way that makes them easy and quickly searchable, they will typically be covered by the Data Protection Regulation. This means that the regulation applies when personal data are processed in full or in part automatically or when the data are entered in a register.
  • When it concerns Danish matters: In the vast majority of cases, the processing of personal data carried out in Denmark will be subject to Danish legislation, i.e. the regulation and any relevant Danish special regulations. In Denmark, as a general rule, the Data Protection Regulation applies if the data controller’s authority or company is established in Denmark and the processing of personal data takes place within the EU territory.

    It shall also apply where data relating to persons staying in Denmark are processed, if the processing concerns the supply of goods or services to persons staying in Denmark, or where the behavior of persons in Denmark is monitored. However, there may be situations where the controller is established in another EU country. In that case, the legislation of that country will apply. This means, for example, that Facebook’s activities are regulated by Irish legislation because Facebook has its European main establishment in Ireland.

The Data Protection Regulation does not apply

  • When the information of undertakings or authorities is processed: Unlike sole proprietors, information on other types of companies is not protected by the Data Protection Regulation. Information about authorities is also not protected by the Regulation.
  • Where the purpose of the processing of data relates, for example, to criminal law or State security: The processing of personal data for activities falling outside the scope of EU law, etc., such as state security, is not covered by the Regulation. The same is true when authorities process personal data in criminal cases.. In the latter case, Directive (EU) 2016/680 of the European Parliament and of the Council (the Law Enforcement Directive) applies. The Directive was transposed into Danish law by Act No 410 of 27 April 2017.
  • When citizens process information in the context of private activities: The processing of personal data by individuals is in many cases totally excluded from the regulation if they are not related to a commercial or commercial activity. The Regulation therefore does not apply to the processing of personal data carried out by a natural person as part of purely personal or family activities. Such activities may include correspondence and the keeping of a list of addresses and to some extent also activities on social networks and on the network in general.