For a Danish company with 10-300 employees, the best GDPR compliance software is an EU-based platform that maintains the Article 30 register (fortegnelse over behandlingsaktiviteter), runs DPIAs, tracks data subject requests against the one-month deadline, and — importantly in Denmark — documents your retention and deletion rules, because that is where Datatilsynet’s enforcement concentrates. The realistic shortlist for that size: Legiscope (EU, built by data protection lawyers), Dastra (French EU pure-player, from ~EUR 79/month), and — only at enterprise scale — OneTrust or TrustArc. Budget roughly EUR 1,500-15,000/year. Danish B2B buyers largely evaluate in English but deploy documents in Danish.
Key Takeaways
- Denmark enforces the GDPR through the Databeskyttelsesloven (Data Protection Act) with a unique twist: Datatilsynet recommends fines, but the courts impose them.
- The flagship case — Danske Bank, where Datatilsynet recommended a DKK 10 million fine — turned on failure to document deletion of personal data.
- Retention and deletion documentation is Denmark’s enforcement pressure point.
- Danish buyers evaluate in English but deploy documents in Danish.
- Budget roughly EUR 1,500-15,000/year for SMEs; enterprise suites rarely justify below 300 staff.
Why Denmark’s Enforcement Model Is Different
Datatilsynet cannot fine you directly — the courts do. Unlike almost every other EU authority, the Danish Datatilsynet does not impose administrative fines itself. It investigates, and where it finds a serious breach it reports the company to the police and recommends a fine to the courts, which then decide. This is a quirk of Danish constitutional law. The practical effect for companies is that a serious case becomes a criminal-justice matter with public visibility, which raises the reputational stakes even when the monetary amount is modest by EU standards.
The Danske Bank case defines the Danish enforcement focus. In 2022 Datatilsynet reported Danske Bank to the police and recommended a DKK 10 million fine because the bank could not demonstrate that it had established and followed rules for deleting personal data it no longer needed — a storage-limitation and accountability failure under Art. 5 GDPR. The message to Danish companies is unambiguous: you must be able to show documented retention periods and evidence that deletion actually happens.
The Databeskyttelsesloven supplements the GDPR with Danish rules. The Data Protection Act covers the age of consent, processing of national identification numbers (CPR numbers, a sensitive point in Denmark), and employment-context processing. Danish-language documentation is required in practice for staff and the authority.
Criteria That Matter for a Danish SME
| Criterion | Why it matters in Denmark | Minimum bar |
|---|---|---|
| Register (Art. 30) | First document Datatilsynet requests | Structured, exportable register |
| Retention / deletion rules | Danske Bank case turned on deletion | Documented retention + deletion evidence |
| CPR-number handling | Sensitive national identifier | Controls around identification numbers |
| DPIA module | Required for high-risk processing | Guided DPIA workflow |
| Danish-language output | Staff + authority read documents in Danish | Documents generated in Danish |
| Time-to-value | No dedicated privacy team | Live register within 1-2 weeks |
| EU hosting | Removes transfer analysis from your file | EU data centres |
The retention row is Denmark’s defining delta. Because Datatilsynet’s flagship case turned on the absence of documented deletion, a tool that captures retention periods per processing activity and lets you evidence deletion is doing exactly the work the Danish authority checks. Build the foundations from a GDPR compliance checklist. A retention period written into a policy but never enforced is worse than useless in Denmark — it is evidence against you, because it shows you knew the rule and did not follow it, which is precisely the accountability gap the Danske Bank referral exposed. The practical bar is a register where each activity carries a retention period and a demonstrable link to the deletion that actually happens.
The Market for Denmark, Compared Honestly
Legiscope — GDPR compliance automation built by data protection lawyers, EU-based. Automates the record of processing, retention documentation and DPIA tracking; suited to 10-300 employee Danish firms needing credible documents fast. Confirm Danish-language output during evaluation.
Dastra — French EU pure-player, clean UX, entry pricing around EUR 79/month; solid register and DSAR modules. Verify Danish templates yourself.
OneTrust — the US enterprise suite: deepest module catalogue, heaviest implementation (months, consulting, EUR 30,000-100,000+/year). The wrong tool below ~300 staff — see Legiscope vs OneTrust.
TrustArc — US enterprise alternative; strong assessments, US hosting, little Danish localisation.
Nordic consultancies + spreadsheets — common for smaller Danish firms; workable until Datatilsynet requests a current register and your deletion evidence.
For the full ranking, see best GDPR compliance software. Nordic groups usually evaluate one vendor across markets — compare the Sweden and Norway software guides.
Pricing: What Danish Companies Actually Pay in 2026
| Company profile | Annual software budget | Notes |
|---|---|---|
| Micro / low-risk (<10 staff) | EUR 0 - 1,200 | Templates may suffice |
| SME 10-50 | EUR 1,500 - 6,000 | EU platform, Danish output |
| SME 50-300 | EUR 5,000 - 15,000 | Platform + retention + DSAR modules |
| 300+ / enterprise | EUR 25,000 - 100,000+ | OneTrust / TrustArc territory |
EU pure-players quote in euros; Danish vendors may quote in kroner. Full benchmark: GDPR software cost and pricing. Against a DKK 10 million recommended fine and the reputational cost of a police referral, software at these prices is inexpensive.
Recommendations by Situation
- Danish SaaS / data-heavy company: an EU platform that documents retention periods and evidences deletion — the exact gap the Danske Bank case exposed.
- Traditional SME 50-300 employees: an EU platform with genuine Danish output; validate controls around CPR-number processing.
- Danish entity of an EU group on OneTrust: keep the group instance but confirm Danish document generation and documented deletion rules.
Implementation: Making Deletion Provable, Not Just Documented
Denmark rewards evidence over policy, so a Danish rollout should be built to prove deletion, not merely to promise it. Start by giving every processing activity in the register a retention period tied to its purpose or a statutory basis — bookkeeping records under Danish accounting law, employment files, marketing data all carry different clocks. Then map each activity to the system where the data actually lives, because deletion has to happen in the CRM, the backup and the analytics store, not only in the policy document. Finally, keep a deletion log: when a retention period expires, the record of what was deleted and when is the artefact that answers Datatilsynet’s central question.
The mistake the Danske Bank referral exposed is worth stating plainly: a written retention rule that is never executed is worse than no rule, because it shows the organisation knew the obligation and did not meet it — an accountability failure under Art. 5(2) GDPR. Two further errors recur in the Danish market. One is loose handling of CPR numbers, which are a national sensitivity and should be flagged and access-controlled in the register. The other is assuming a police referral is unlikely enough to ignore; because a serious Danish case becomes a criminal-justice matter, the reputational exposure alone justifies a tool that keeps retention and deletion continuously provable rather than reconstructed under pressure.
FAQ
Who enforces the GDPR in Denmark?
Datatilsynet, the Danish Data Protection Agency. It supervises the GDPR and the Databeskyttelsesloven, but — uniquely in the EU — it does not impose fines itself: it recommends fines to the courts and reports serious cases to the police. Its guidance and cases are published in Danish and English.
How does Denmark’s fine model work?
Datatilsynet investigates and, in serious cases, reports the company to the police and recommends a fine amount; a court then decides whether to impose it and how much. This makes serious GDPR breaches a criminal-justice matter in Denmark, with the reputational exposure that entails, even where the monetary figure is modest.
How much does GDPR software cost for a Danish company?
Between roughly EUR 1,500 and 15,000 per year: EUR 1,500-6,000 for 10-50 employees and EUR 5,000-15,000 for 50-300 employees. Entry tools start near EUR 79/month; enterprise suites start around EUR 30,000/year and are rarely justified below 300 staff. In Denmark the feature worth paying for is retention and deletion tracking — the exact capability the Danske Bank referral turned on — so prioritise that over breadth when you compare tiers.
What did the Danske Bank case mean for Danish companies?
Datatilsynet recommended a DKK 10 million fine because Danske Bank could not demonstrate documented rules for deleting personal data it no longer needed. For Danish companies it made retention and deletion documentation a priority: you must show not only a policy but evidence that data is actually deleted at end of its retention period.
Conclusion
A Danish company between 10 and 300 employees should buy an EU-based platform that produces a Datatilsynet-grade register, documented retention and deletion rules, guided DPIAs and deadline-tracked rights handling in Danish — at EUR 1,500-15,000/year, not enterprise-suite money. Legiscope is a strong option for legal-grade automation; Dastra is a capable low-cost entry; OneTrust belongs above 300 staff. In a jurisdiction where a serious breach becomes a police matter and where deletion is the enforcement focus, the deciding test is whether your tool can evidence a current register and real deletion when Datatilsynet asks.
See Legiscope in action
AI-powered GDPR compliance that saves 340+ hours/year. Trusted by compliance professionals across Europe.
Request a demo





