GDPR datatilsynet audit

The GDPR hunting season is open:
The Danish authority Datatilsynet has announced first shots will be fired

Datatilsynet (Danish Data Protection Agency) has announced the types of companies they are targeting first and on which grounds. It will be the first test of companies’ efforts to comply with the General Data Protection Regulation (GDPR). And it is happening as we speak. So, lets dive into how Datatilsynet will conduct their supervision and who will be the first companies to be audited.

27th of June became the day that Datatilsynet released their “GDPR supervision-plan”. The plan contains information about two areas:

  • Which sections of GDPR are their focus?
  • Which industries and institutions will they target first?


Mails from loyalty clubs and dating services are investigated

Unless you’ve been sleeping under a rock, it has been almost inevitable to avoid the data bombing of your e-mail inbox – leaving it utterly destroyed, as companies wanted to renew your consent to receive information from them. This was a direct consequence of companies trying to comply with the GDPR.

Datatilsynet describes the phenomenon as follows: 

”…tusindvis af danskere [oplevede, red.] at få fyldt deres indbakker med e-mails fra navnlig private virksomheder, der under henvisning til de nye databeskyttelsesregler enten bad om et (fornyet) samtykke til fortsat at kunne behandle personoplysninger eller gerne ville orientere om indholdet af deres persondatasikkerhedspolitik.” 

Translated in English:

”…thousands of Danes [experienced, red.) their e-mail inboxes being flooded with e-mails from companies wanting to renew their consent to manage your personal data or wanted to update you on their new personal data security policy – as a response to the GDPR.”

Focus for the investigations is whether the content of those e-mails lives up the GDPR requirements and other related legislation. Datatilsynet is specifically targeting “loyalty clubs” and dating services.

Hotels, furniture chains and cab companies: Have you deleted personal data?

One of the pillars of the GDPR is that companies can’t store or handle personal data longer than necessary. As a reaction, many companies have implemented new processes and software to mitigate the new GDPR requirements. It is exactly these processes that Datatilsynet will focus on. First to get audited will be hotel chains, furniture chains and cab companies.

If you want to read the entire “GDPR supervision-plan”, you can do so here (In Danish).