Genvejsmenu:
S - Indhold
1 - Forside
2 - Nyheder
3 - Oversigt
4 - Søg

Geographic area of application

Controller that is established in Denmark
If the handling of data is performed for a controller that is established in Denmark, the Act on Processing of Personal Data will typically apply. This is stipulated in section 4 (1) of the law. However, one condition is that the activities take place within the European Community.

The registered controller’s nationality, place of residence or location is of no importance.

The determining factor is that the controller is established in Denmark - not where the handling takes place. Even if the controller utilises an IT service agency or a data processor in another EU country or a third country, the Danish law applies when the controller is established in Denmark. However, the data processing must be connected to the activities within the European Community.
Establishment is defined as the actual performance of activities through a more permanent structure. This may include activities carried out by a branch or a subsidiary with status as a legal person (see also consideration 19 in the directive’s preamble).


Controller that is established in other EU countries
If a controller is established in another EU country but not established in Denmark, and carries out activities in Danish territory, the Act on Processing of Personal Data does not apply, but rather the applicable EU country’s law. All EU countries are required to have a law that complies with the data protection directive (95/46/EC). Norway and Iceland also have such laws and, in this regard, are subject to identical conditions as the EU countries.

If a controller established in another EU country uses an IT service agency or a data processor in Denmark, the law does not apply. But the rule in the Act on Processing of Personal Data’s section 41 (3), stipulates that security rules apply to the data processor.

 
Controller established in a third country
According to section 4 (3), the Act on Processing of Personal Data applies if:


• The controller is established in a third country and the processing of data is carried out with the use of equipment situated in Denmark, unless such equipment is used only for the purpose of transmitting data through the territory of the European Community.
• The law also applies if the collection of data in Denmark takes place for the purpose of processing in a third country.


In cases where equipment is used in Denmark, the controller must appoint a representative that is established in Denmark, cf. section 4 (4), and report the identity of this appointed person to the Danish Data Protection Agency.

The preparatory work for the Act cites technical equipment as an example of equipment. Whether or not the equipment is IT-based is not of importance.

Thus, if a controller established in a third country utilises an IT service agency or a data processor in Denmark, the Act on Processing of Personal Data applies. However, the Act on Processing of Personal Data will only apply to the actual handling that takes place in Denmark.

In such circumstances, the requirements for data security and the rules on reporting are relevant.

 
Examples
The Danish Data Protection Agency’s practice in this area is still limited. The agency hopes in the future to be able to elaborate on the scope of the rules by citing concrete examples.

A. If, for example, there is a parent company in Denmark with subsidiaries in countries within the European Community, the independent processing for which the subsidiaries are the controller will solely be subject to the applicable EU country’s laws. This will be the case regardless of whether operations are performed in Denmark.

B. If the Danish parent company has subsidiaries established in third countries and the Danish parent company performs data processing for these subsidiaries, including e.g. operations, the Act on Processing of Personal Data will apply to the degree that equipment is used for data processing. However, the Act on Processing of Personal Data will only apply to the actual handling that takes place in Denmark.

C. The Danish parent company’s own processing of personal data received from the subsidiaries established either within the European Community or a third country will be subject to the Act on Processing of Personal Data. This is processing for which the parent company is the controller. However, the law applies only to the actual processing that is carried out by the parent company within the European Community.

D. A contact agency collects data in Denmark via the internet. The website used appears with a Danish domain name and the text on the page is partially in Danish. Furthermore, the page refers to telephone numbers in Denmark. The agency is run by a Thai business with its address in Thailand, where all of the data and registers are located. Incoming mail is passed on from an address in Denmark and the Danish addressee is responsible for the payment. The Danish Data Protection Agency has deemed that the Act on Processing of Personal Data applies to the contact agency’s activities in Denmark. As the agency processes data covered by sections 7 and 8 (sensitive data) of the Act on Processing of Personal Data, the contact agency must notify the Danish Data Protection Agency and obtain the authorisation from the Danish Data Protection Agency for such processing.

E. If a Swedish company establishes a branch (in terms of company law) in Denmark, the company is established in both Sweden (the company) and in Denmark (the branch). The company will now be subject to the Danish Act on Processing of Personal Data with regard to the processing of personal data that is performed for the Danish branch, regardless of whether the actual processing takes place in Sweden or Denmark.

F. If a Swedish company has established a branch in Denmark that only processes data on behalf of the Swedish company, the Swedish company is the controller and the branch can be seen as data processor. In such cases, the branch must only abide by chapter 11 of the Act on Processing of Personal Data, which regards security. The processing will also be subject to Swedish law.

G. If a Swedish pharmaceutical company or a Swedish subsidiary of a Danish pharmaceutical company is the controller for a research or statistical project in which Danish divisions/centres participate, or where data is retrieved from Danish registers, the project does not have to be notified to the Danish Data Protection Agency, but perhaps to the Swedish data protection authorities.  This applies even if the project must have permission from the Danish scientific ethics committee system.

H. If a Danish company that sells goods to persons, e.g. via post orders, has customers in other countries, the information about these customers is subject to the Danish Act on Processing of Personal Data. The regulations of the Act on Processing of Personal Data regarding the use of data about consumers for marketing on behalf of other companies and regarding transfer to other companies with this purpose must be complied with, regardless of whether the other company that intends to use or transfer the information for marketing purposes is located in Denmark or another country.