How to handle breaches of the data protection rules
On 25 May 2018 – the same day that the General Data Protection Regulation entered into force – the Director of Public Prosecutions issued a notice describing how breaches of the data protection rules will be handled.
In all criminal cases involving breach of the data protection rules, the police must, according to the notice, obtain a statement from the Danish Data Protection Agency, including on the issue of sanctions, before deciding to bring a charge. The Agency’s opinion must include e.g. a description of the level of sanctions in the other EU member states.
If the police decides to bring a charge as recommended by the Agency, it just has to notify the Agency.
If, however, the police disagrees with the Agency as to whether a charge should be brought or not, the question must be submitted to the regional public prosecutor. But first, the Agency must have an opportunity to express one more opinion. If the police and the Agency still disagree, the police must submit the matter to the state prosecutor.
It also appears from the notice from the Director of Public Prosecutions that prosecutors focus on cases involving breach of the data protection rules in relation to case law. It means that such cases may not be decided by imposing a fine notice until the level of sanctions is sufficiently clear in case law. It also means that the police must discuss the question of appeal with the regional public prosecutor in all district court cases before expiry of the period allowed for appeal if the prosecution’s claim is not sustained in full.
Read the Director’s notice (in Danish).