Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Denmark. Sectoral rules (healthcare, public-sector, employment) are touched only where they intersect with the analytics layer.
Applicable laws
The legal framework that governs personal data processing here.
National addons
Country-specific statutes layered on the EU baseline.
- § 11 CPR-numbers — processing rules for the Danish personal identification number
- § 12 Employee data — special permissions and limits in employment context
- § 13 Special-category data — Danish-specific permissions (employment, social security, public-interest research)
- § 41 Penalties — fines available against private and public entities; Denmark uses a criminal-prosecution route rather than direct administrative fines
- § 3 Storage / read access on terminal equipment requires prior, informed, granular consent
- § 4 Strictly-necessary exception — narrowly construed; analytics, marketing, A/B testing do not qualify
- § 5 Information requirements — clear language, identifiable purposes, named third parties
- § 10(1) Email/SMS/automated marketing — prior express opt-in required
- § 10(2) Soft opt-in — narrow exception for existing-customer + similar products + opt-out at every contact
Regulators
Supervisory authorities that interpret and enforce privacy law here.
Coordination body
- 2020-02-03 · Cookies and consent — Datatilsynet 'Vejledning om behandling af personoplysninger om hjemmesidebesøgende' — explicit consent for analytics + marketing cookies; pre-ticked boxes invalid; equal-prominence reject.
- 2023-09 · Cookies guidance refresh — Updated cookie guidance reaffirming opt-in for non-essential storage/access; clarifies that consent banners must offer reject as easily as accept and that 'continue browsing = consent' is invalid.
- 2024-03 · OpenAI / ChatGPT — Datatilsynet opens own-motion investigation into OpenAI's processing of personal data via ChatGPT, in coordination with the EDPB ChatGPT Taskforce.
- 2023-07 · Google Analytics + DPF — Datatilsynet aligns with EDPB post-DPF position — GA4 acceptable with prior consent while Google LLC remains DPF-certified; supplementary measures still recommended for non-DPF transfers.
Notable enforcement
Denmark uses a criminal-prosecution route for GDPR fines — Datatilsynet recommends a fine to the politi (police) and prosecution proceeds through the courts. This produces fewer headline fines than Germany or Spain but means the cases that do land carry criminal-record weight. Public-sector breaches (regions, municipalities, the police) make up a disproportionate share of Datatilsynet's caseload. Telecom and financial-services oversight is active: BankInvest, Region Hovedstaden, and Argan IT have been recent reprimand or fine subjects. Datatilsynet's posture is pragmatic compared to Hamburg or LfDI BW — it favours guidance and reprimands over maximal fines.
-
Region Hovedstaden Datatilsynet · Art 28, 32 stood
Capital Region of Denmark — inadequate processor oversight and security measures around health-data processors. DKK 1.5M recommended fine.
-
Taxa 4x35 Datatilsynet · Art 5(1)(e) stood
Taxi company retained ~9M trip records with phone numbers beyond the stated retention period. First Danish GDPR fine recommendation — DKK 1.2M.
-
Argan IT-Solutions Datatilsynet · Art 32 stood
IT services provider — security failures around access controls. DKK 100K recommended fine.
GA4 status
GA4 is usable in Denmark with prior, explicit, granular consent under Cookiebekendtgørelsen § 3 and Datatilsynet's 2023 cookies guidance. After EU-US DPF (Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. Datatilsynet has not issued a GA-specific ban — its posture is pragmatic compared to Austria/France.
| DPA | Stance |
|---|---|
| Datatilsynet | Permissive post-DPF — transfers lawful with DPF + explicit consent under Cookiebekendtgørelsen. Reject-button parity required; pre-ticked boxes invalid. |
Cross-border transfers + Schrems II
Datatilsynet aligns with the EDPB post-DPF position. Transfers to DPF-certified US importers are lawful in principle while Google LLC and other relevant recipients remain DPF-certified. For non-DPF US recipients, Schrems II logic still applies — Transfer Impact Assessment + supplementary measures expected. Datatilsynet has not pursued GA-specific bans on the scale of the Austrian or French DPAs.
EU 2021/914 SCCs are the fallback when DPF certification is absent or revoked. Datatilsynet expects controllers to document Module 2 (controller-processor) onward-transfer clauses and a TIA for non-EEA recipients.
Employee data
Key thresholds
Vendor signals
Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.
Analytics tools · 4 · 0 green · 3 yellow · 1 red
| Vendor | Status | Rationale |
|---|---|---|
| YELLOW | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. | |
| YELLOW | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. | |
| YELLOW | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. | |
| RED | Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization. |
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate. | |
| GREEN | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. | |
| GREEN | Open-source, self-hosted. No managed updates — site owner maintains vendor list. | |
| GREEN | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults. | |
| GREEN | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
Ad pixels · 3 · 0 green · 0 yellow · 3 red
| Vendor | Status | Rationale |
|---|---|---|
| RED | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. | |
| RED | Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem. | |
| RED | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. |
Server-side · 3 · 2 green · 1 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. | |
| GREEN | EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. | |
| YELLOW | "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
Compare with neighbors
Side-by-side rule comparison.
Common questions
Is Google Analytics legal in Denmark in 2026?
Do I need a Danish DPO?
Which DPA is competent for my company?
What's the difference between Databeskyttelsesloven and GDPR?
Why are Danish GDPR fines so much smaller than Germany's?
Is 'legitimate interest' a valid basis for analytics in Denmark?
What about employee monitoring and analytics tools?
Do I need a Danish Article 27 representative?
What language must my privacy notice be in?
What's the child consent age in Denmark?
// EDITORIAL · NOT LEGAL ADVICE This page summarises Denmark's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.