Data protection

Data protection remains an important focus area

Digitalisation creates challenges for businesses because of the constant need to stay up to date. This is necessary not only in respect of new practice and guidelines, but also in respect of new, complex rules from the EU, such as the Data Act, the Data Governance Act, the Digital Services Act. Customers and business partners require higher and higher standards of conduct from businesses, while regulatory authorities increase cross-border cooperation to ensure effective enforcement of the rules. The levels of fines are relatively high, but orders and injunctions can be just as punitive for businesses.

Any failure to comply with the data protection rules can be costly in monetary terms but may also result in loss of brand value and in bad publicity.

Our advice

In Denmark, data protection rules are implemented in the General Data Protection Regulation (GDPR) and the Danish Data Protection Act. However, data protection rules can also be found in special legislation, for example legislation governing the financial sector, research, and patient care. Rules applicable in one area may not necessarily apply in another.

We assist and advise businesses in all sectors as well as authorities on compliance with data protection rules. We act as a legal and strategic business partner for our clients.

​Below, we have gathered examples of our advisory services within different areas and sectors: 

Personal data, annual compliance cycle, and test audits

It is a fundamental requirement that data controllers and data processors know what personal data are being processed and for which purposes. Many businesses process, store and transfer large quantities of personal data without having properly considered the internal and external processes. 'Compliance' can be an elusive concept, and it is often difficult to figure out whether or not a business or authority is compliant.

There is no "one size fits all" solution for data protection compliance, but there are six steps to go through:

1. Identification and preparation
2. Data flow analysis
3. Compliance analysis
4. Action plan
5. Implementation
6. Maintenance

If you are not quite there yet, we can help you through the six steps.
To start with, we recommend that the responsibilities and tasks related to data protection are firmly embedded in strong governance structures. 

The management needs to be involved – preferably as early as possible – and to support the initiatives, both in the short and long term, if compliance is to truly live in the organisation. Management buy-in is crucial to getting the organisation to make the changes that GDPR compliance will inevitably bring. We can assist you in getting the management on board.

Next, you need to set up the internal team that is to define the framework and manage the day-to-day operations (depending on the sector). They need to be empowered to advise the organisation on initiatives that will become a permanent, integrated part of the daily processes. Continuous training of employees is necessary to ensure awareness of the rules (for example, to ensure awareness of actual data breaches). If you are required to appoint a data protection officer (DPO), that function has an obligation to perform certain tasks. We can also take on the role of your DPO.

If you wish to know the level of your compliance, we can plan and perform compliance audits (test audits) in your organisation. These audits serve as a method of identifying infringements, determining their cause, and proposing specific actions to remedy existing and prevent future infringements. 

A compliance audit can also be a useful tool for getting management to listen to the importance of data protection.

Third-country transfers, international agreements and co-operation with data processors

Almost all organisations cooperate with suppliers that process personal data in one way or another as data processors (for example IT suppliers or payroll service providers), and such cooperation requires a data processing agreement. Data processing agreements are subject to certain content requirements, and data processors must be audited regularly.  

It is also necessary to ensure a full overview of the entire chain of data processors and sub-processors – particularly if they operate internationally. Transfer of personal data to countries outside the EU/EEA has received a lot of attention in recent years. The requirements are strict, and the authorities expect comprehensive security assessments and identification of any additional measures to protect the data during and after a transfer. 

We advise on all aspects of cooperation with data processors and international data transfers, including what is required before, during and after a transfer. We assist with everything from drafting data processing agreements, choosing the right transfer basis (EU-U.S. Data Privacy Framework (DPF), SCCs, Binding Corporate Rules, application of exemption clauses, etc.)  Many suppliers also reserve the right to use data for their own purposes, which we also advise on.

We constantly follow developments and keep a finger on the pulse of the latest trends related to third-country transfers and the use of cloud services and artificial intelligence.

Personal data breaches and cyber security

Irrespective of the level of compliance with the security requirements, personal data breaches of various nature occur in all organisations. It is important that breaches are handled quickly, correctly and effectively to prevent them from causing more damage than necessary. We often assist clients with emergency crisis management when things have gone wrong, and we are available 24-7 in such situations. To begin with, we assist the client in stopping the breach and conducting a risk assessment of the breach. The purpose of the risk assessment is to determine whether the breach should be notified to the Danish Data Protection Agency (and/or other authorities) and to the data subjects.

Cybersecurity, digitalisation and data protection are closely linked, and this is where the NIS2 Directive and the DORA Regulation get into the picture. Both contain requirements for digital robustness. Our cyber security team advises on DORA and NIS2, and the GDPR team advises on how to comply with data protection law when selecting and implementing new technical and organisational measures, such as new firewalls, mobile device management or new cloud infrastructure. If required, we prepare impact assessments (DPIAs) that provide a solid basis for management decision-making.

Artificial intelligence (AI)

When it comes to artificial intelligence, the question is no longer "if" but "how". A bridge needs to be built between AI and data protection. This can be a daunting task, and for all organisations using AI, it is necessary to incorporate privacy by design from the very start of the project, along with the legal basis for processing personal data, both for the training of models and for operations.

First and foremost, we apply our technical insight when advising on the tension field between data protection law and AI. To begin with, it is relevant to clarify where AI is used in the organisation, either as systems or as components. In addition, there must be a legal basis for the processing, and the activity must be assessed against general principles such as data minimisation, the right to object, transparency, etc. 

We also assist with the preparation of all documentation, including risk assessments, Data Protection Impact Assessments (DPIA) and Fundamental Rights Impact Assessments (FRIA).

Marketing activities, e-commerce and cookies

The GDPR rules interact closely with marketing law, which includes the rules in the Danish Marketing Practices Act, the rules on the collection and processing of data via cookies, the Danish Consumer Contracts Act and the e-commerce rules.

It is of significant importance for companies to have their marketing activities under control, because good marketing creates great customer experiences and helps to ensure trust and confidence in your image and brand.

Marketing activities are often data-driven, e.g. by use of cookies on a website or a pixel in an email, tracking and following a user's movements and behaviour. Such data constitute personal data requiring compliance with rules on consent and transparency.

Handling of the rights of individuals

Individuals' rights are at the centre of the GDPR, and all enquiries from data subjects must be handled in compliance with the rules. The requirements are detailed and include form requirements, content requirements and deadlines for responding to an enquiry from an individual. There are also rules regarding how data subjects must identify themselves, but it is also essential to avoid excessive requests for identification. In order to succeed, you need to establish and observe guidelines and procedures.

Each enquiry must be handled individually, and there may be commercial interests justifying a company's desire not to comply with a data subject's request, for example a request for access to all personal data. In those cases, we can help you assess whether any of the exemptions can be used as a legal basis for rejecting the request in whole or in part. 

Design of privacy policies and internal guidelines

To ensure compliance with data protection law, it is necessary that your internal guidelines are accessible and understandable to all employees. 

Similarly, your customers and business partners should be able to read in your privacy policy how you process their data. We can help you create both clear internal guidelines for employees and external privacy policies ensuring that your organisation complies with the transparency and accountability rules.

Business transfers and due diligence processes

Data protection is an essential part of both buying and selling businesses, including in due diligence processes for both buyers and sellers. For example, in a business transfer it may be all-important whether the buyer can get access to the lead database of the new company or will have to start over and collect the lead data anew.

It may also be relevant for the buyer to clarify whether it is possible to take over consents previously obtained by the seller, for example consents to receipt of newsletters. Together with our M&A colleagues, we have extensive experience in ensuring that all data protection issues are identified and clarified at relevant points in the process, thereby allowing both the buyer and the seller to make informed decisions.

Internal and counsel investigations

Many businesses need at some point to investigate irregularities in their organisation. In collaboration with the team handling internal and counsel investigations, we ensure compliance with both the Danish Whistleblower Act and the data protection rules throughout the process. For example, we look at data minimisation in the investigations, special rules prohibiting "tipping off", transparency in relation to those investigated and others who contribute during interviews, etc. We often first examine whether there is a basis for keeping the investigation completely confidential and, if so, the extent of it.

Fintech

The financial sector is subject to a multitude of special data protection rules. We and our colleagues in the fintech teams are well versed in the interfaces between GDPR and those special rules. For example, this may be in relation to credit information (according to the Danish Credit Agreement Act and the Danish Consumer Loan Act), outsourcing rules (e.g. in the Outsourcing Executive Order, the Danish Payments Act and – in the future – DORA), open banking (e.g. account information services) and the use of payment information under the Danish Payments Act.

Research, drug trials and health data

Healthcare legislation involves special data processing rules, including in relation to clinical trials, record-keeping, patient consents, etc. And that is important to bear in mind if your business or organisation operates in the healthcare and research sector. 

The data protection rules also include requirements that must be complied with when processing data for research purposes. For example, use of data for a purpose other than the purpose for which the data were collected gives rise to personal data considerations, and in certain situations it may be a requirement to obtain prior approval from the Danish Data Protection Agency if data processed for research purposes are to be transferred to countries outside the EU/EEA. We have extensive insight into and knowledge of the research area, as well as international experience to draw on. 

Ensure compliance by using our tools and services 

​The data protection rules are complex and can pose challenges when it comes to understanding and compliance. If you are a small organisation, the challenge can often be the lack of resources. If you are a large organisation, the challenge can be the complexity of the rules or the lack of implementation of necessary data protection processes in the organisation. We would be happy to help and therefore provide a range of tools and services to support your practical compliance with the data protection rules.  

Our DPO service

If your organisation needs a Data Protection Officer (DPO), we can help. We can offer you a long-term solution – but also an interim solution if, for example, your DPO has resigned and you need help until a new one is on board. We can take on the role of your DPO and create a customised DPO solution for your specific needs and budget.

Whistleblowing schemes

In recent years, both the public and private sectors have intensified their focus on establishing whistleblowing schemes. We have extensive experience with whistleblowing schemes and can help you and your business if you intend to implement one. We can also offer you the use of our digital whistleblowing solution, which allows your employees to report suspected irregularities and unlawful acts anonymously and effectively.

Read more about whistleblowing schemes and our digital whistleblowing solution here:

Practice area

Whistleblower schemes

We advise on the establishment and administration of whistleblowing schemes and provide whistleblowing hotline services for a multitude...