Denmark data breach notification

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: January 2024

☐ public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)
☒ cybersecurity authorities
health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ other

e.g., payment service providers

Details regarding the identified data security breach notification requirements

Notification of the Danish Business Authority

Providers of public telecommunications services and independent interpersonal communications services, e.g. instant messaging services, are obliged to notify the Danish Business Authority in case of data breaches, according to the Danish Act on Electronic Telecommunications and Executive Order no. 1882 of 4 December 2020 on personal data security in connection with the provision of public electronic communications services and number-independent interpersonal communications services, which supplements EU Regulation 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications.

A data breach occurs when the protection of personal data is violated, that is, where there is a violation of data security that leads to the loss, unlawful deletion, modification, storage, dissemination or other illegitimate use of personal data, which is transmitted, stored or otherwise processed in connection with the provision of publicly available telecommunications services, as well as the unlawful access to these.

The provider must inform the Danish Business Authority no later than 24 hours after the detection of the personal data breach, where feasible, cf. section 5(1) of Executive Order no. 1882, cf. art. 2(2) of Regulation no. 611/2013.

When the personal data breach is likely to adversely affect the personal data or privacy of an individual, the provider shall, in addition to the abovementioned notification referred, also notify the individual of the breach, without undue delay, cf. art. 3(1) and (2) of Regulation no. 611/2013 (subject to exceptions, e.g., where certain security measures have been taken and documented).

Non-compliance with the breach notice requirements could potentially be sanctioned with a fine.

Notification of the Danish Financial Supervisory Authority

Under the Danish Act on Payments, implementing the EU Directive 2015/2366, and Executive Order no. 1428 of 3 December 2018 on reporting of operational and safety incidents, payment service providers are obliged to notify the Danish Financial Supervisory Authority in case of data breaches if the data breach is considered a "major operational and security incident". If that is the case, the Danish Financial Supervisory Authority must be informed, cf. section 127(1) of the Danish Payments Act.

A data breach occurs under the following circumstances: a singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services. Where the breach has or may have an impact on the financial interests of the payment service users, the payment service provider must without undue delay inform the payment service users of the breach.

Non-compliance with the breach notice requirements could potentially be sanctioned with a fine.

Notification of the Center of Cyber Security

Under the Danish Act on Security of Network and Services and Executive Order no. 258 of 22 February 2021 on information and notification obligations regarding security in networks and services, which implements the EU Directive 2018/1972, providers of publicly available communications networks and services, as well as independent interpersonal communications services, are obliged to notify the Danish Center for Cyber Security (CFCS) in case of breach of the information security if the breach is considered to have a material impact on the operation of the network or services.

The CFCS must be informed after detection of the breach. The notification must be made without undue delay through the common digital solution for reporting to public authorities at www.virk.dk, cf. Section 7(3) of Executive Order no. 258 of 22 February 2021.

Please note that under certain conditions notification of the relevant Danish ministry may also be required for certain sectors or operators, e.g., according to the Danish Act on Security of Network and Information Systems within the health sector, operators of essential services are, without undue delay, required to notify both CFCS and the Danish Ministry of Health of incidents that have significant consequences for the continuity of the essential services, cf. section 5(1). Similar obligations apply within the energy and utilities sector.

Non-compliance with the breach notice requirements could potentially be sanctioned with a fine.