100 days until the data protection regulation comes into force – are you ready? 

The data protection regulation (regulation 2016/679/EC of 27 April 2016 of the European Parliament and the European Council) will come into force in Denmark in 100 days from now. Below, we will sum up what you need to have in place before 25 May 2018.

The data protection regulation introduces a number of new challenges to which companies and public authorities must relate. And the new rules should be given high priority as failure to comply with the rules may have serious financial - and in some situations criminal - consequences.


If you do not have the below in place before 25 May 2018, you may risk violating the regulation. A number of the provisos of the regulation already exist in a similar form in the Personal Data Act; for instance provisions on the basis of processing, consent and the duty to inform. But these rules are strengthened in the regulation which also stipulates stricter requirements for public authorities and companies processing personal data.

The general questions listed below are among the most important to decide on for companies and public authorities before 25 May 2018 in order to comply with the regulation:

  • Do you have an overview of the personal data processed?
  • Who is the data controller and who is the data processor?
  • Is there a basis for your processing of personal data?
  • Do any consent forms fulfil all the requirements of the data protection regulation?
  • Do you observe the duty of information in relation to all data subjects, and are you ready to meet the data subjects’ other rights, including the right of access?
  • Do you know the rules on deletion of personal data?
  • Are you required to appoint a data protection officer?
  • Can you document that you comply with the data protection regulation? Do you fulfil the regulation’s requirements for registration of processing activities?
  • Have you concluded the required data processor agreements?
  • Do you know where the personal data, that you process, are physically located, including whether personal data are being transferred to third countries (countries outside the EU/EEA)?
  • Have you made a risk analysis, and is your processing security in place?
  • Do you have a procedure concerning security breach?
  • Are you ready to fulfil the new requirements for impact assessments, privacy by design and privacy by default?

If you do not have the above matters in place, we recommend that you take care of it before 25 May 2018 in order to comply with the regulation.

We would be pleased to assist you with specific advice.


Since October 2017, the Ministry of Justice and the Data Protection Agency have published a number of guidelines contributing to the understanding of the data protection regulation. These guidelines cover a number of core areas in the regulation.

General information concerning the data protection regulation

In October 2017, guidelines were published concerning the new rules on protection of personal data. The guidelines describe personal data, when to process personal data and the data subjects’ rights.


In November 2017, guidelines were introduced concerning consent. The guidelines give a brief introduction concerning the rules on consent as a basis of processing under the regulation, including a number of examples of the application of consent.

Data controllers and data processors

In November 2017, guidelines were also published concerning data controllers and data processors. It is important to know the difference between a data controller and a data processor as the requirements are different. The guidelines help clarifying whether you act as data controller or data processor. However, there is no key answers, but the guidelines present some general principles.

Transfer to third countries and international organisations

In November 2017, guidelines were also published concerning transfer of personal data to third countries. The guidelines give a brief introduction to the rules in Part V of the regulation concerning transfer of personal data to third countries or international organisations. The guidelines include a user-friendly quick guide concerning transfer to third countries.

Data protection officers

In December 2017, guidelines were published concerning data protection officers. The purpose of these guidelines was to give an account of the regulation's requirements for appointment of data protection officers, their assignments, qualifications, positions and involvement. As opposed to public authorities, private businesses are only obligated to appoint data protection officers in rare situations.

Code of conduct and certification

In January 2018, the Data Protection Agency and the Ministry of Justice published guidelines concerning code of conduct and certification. Code of conduct means a set of rules that are to ensure that companies comply with the regulation.


In February 2018, the Data Protection Agency and the Ministry of Justice published guidelines concerning registers, including an example of a register.

Future guidelines

According to the Data Protection Agency, six additional guidelines are planned in February 2018. The subjects of these are:

  • Security of processing
  • Data protection by way of design and default settings
  • Impact assessments
  • Handling of breach of personal data security
  • The data subject’s rights
  • Data protection within labour and employment law


Mads Nygaard Madsen


Charlotte Kunckel

Senior Attorney

Lisbet Vedel Thomsen

Senior Attorney

Pernille Fromholt

Assistant Attorney

Maria Pilh Arendsdorf Bengtsen

Assistant Attorney