The Danish Data Protection Agency has the power to investigate complaints and cases, and to order the suspension of processing and/or transfer of data, as well as the destruction of data and other similar actions; these orders can be appealed to the courts.
Individuals can file complaints with the Agency and can seek a judicial remedy for violations of the law, for example damages pursuant to the general civil law.
The Danish Act on Processing of Personal Data states two types of criminal sanctions – fines and imprisonment for up to 4 months. Only natural persons are subject to imprisonment and generally, imprisonment as a sanction is less likely. Further, the Danish Criminal Code envisages criminal sanctions for hacking, e.g. illegal access to IT systems, user profiles on social media, e-mail accounts and other programs that is a property of others. The criminal sanctions are fines and imprisonment for up to 1 year and 6 months (however, up to 6 years under aggravating circumstances).
Any employee who has intentionally or negligently infringed the Danish Act on Processing of Personal Data may be subject to punishment. The Danish Data Protection Agency has authority to publish its decisions on the website (www.datatilsynet.dk) which may lead to unwanted publicity and damage to reputation.
Selected Enforcement Actions / General Comments
It is uncommon to issue fines as means of sanctioning and the Danish Data Protection Agency usually would give a reprimand and state a deadline for achieving compliance with the requirements. If these initiatives are ignored, the legal entity in question might be reported to the police and thus fined. The highest fine to date was imposed in 2001 and was set at DKK 25,000 approx. €3,360. However, in the light of international practice the fine level in Denmark is expected to increase.