Report a breach

The General Data Protection Regulation (GDPR) requires data controllers to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In the case of a personal data breach, you must without undue delay and, where feasible no later than 72 hours after having become aware of it, notify the personal data breach to the Danish Data Protection Agency, unless the personal data breach is unlikely to present a risk to the affected individuals.

How do I report?

If you have a NemID login, you should report the breach via Virk.dk. Press “Start selvbetjening”, select “English” and log on. You can now fill in the form in English. Remember to download a copy of the form for documentation, once you have sent it.

In case you do not have a NemID, you can report the breach by sending an e-mail to dt@datatilsynet.dk. Please provide the following information:

  1. Your contact information.
  2. A description of the incident.
  3. Categories and number of persons concerned.
  4. Categories and number of records of personal data concerned.
  5. Description of the consequences of the breach for the data subjects.
  6. Description of the likely consequences the breach will have on the data subjects.
  7. Description of the measures taken or proposed to handle the breach.
  8. Description of the measures implemented before the breach took place to prevent this type of incident.
  9. Description of the measures taken to limit any possible effects.
  10. Whether data subjects are notified in accordance with Article 34 of the General Data Protection Regulation and, if so, how and when.
  11. If data subjects are not notified, why.
  12. If you need more time to investigate, we request a status as to when this information will be available to you.

Do not write personal data about the persons concerned in the notification.

My personal data has been subject to a data breach

This page is addressed to the data controllers, who must report to the Data Protection Agency if they have had a personal data breach. If your data has been subject to a personal data breach, you should first contact the responsible person or organisation. If you are dissatisfied with their response, you may complain to the Danish Data Protection Agency.