Denmark's Datatilsynet has become a European leader in healthcare data enforcement. In 2024, the authority issued 31 GDPR decisions — with 14 (45%) directly involving healthcare data systems. For a country of 5.9 million people, this enforcement density reflects Denmark's advanced digital health infrastructure and demanding technical compliance expectations.
Denmark's Healthcare Data Infrastructure
Denmark operates one of the world's most comprehensive national health data systems. Every Danish citizen has a CPR number linked to electronic health records, the national prescription registry, the national patient register (tracking all hospital contacts since 1977), and biobank samples at Statens Serum Institut.
This integrated infrastructure makes Danish health data among the most valuable for research — and the most sensitive for privacy. Datatilsynet's healthcare enforcement focus reflects this tension.
CPR Number: The Technical Challenge
The CPR number (Det Centrale Personregister-nummer) is a 10-digit civil registration number in format DDMMYY-XXXX. The final digit is a check digit validated using modulus-11 arithmetic.
The CPR number is the foundation of all Danish public administration: health, taxation, social benefits, voting, banking. Every healthcare document includes it.
Datatilsynet requires documented anonymization validation for secondary use of health data. The technical problem: 67% of generic NLP tools do not implement CPR number modulus-11 validation. Without checksum validation:
False positives: Date-like strings, invoice numbers, and reference codes get flagged as CPR numbers, requiring costly manual review.
False negatives: Transposed-digit CPR numbers that fail checksum validation are missed — leaving real patient identifiers in data that appears clean.
Secondary Health Data Use Requirements
Denmark's health register data supports world-class medical research. Datatilsynet's 2024 guidance on secondary use sets specific technical requirements:
Documented anonymization procedures: Organizations must maintain written technical documentation describing exactly how de-identification is performed — not just the outcome, but the specific processes, tools, and validation steps.
Validation of completeness: Documentation must include evidence that anonymization was verified. This includes test results demonstrating detection coverage for CPR numbers and other Danish health identifiers.
Minimum necessary data principle: Research datasets containing more personal data than the research question requires violate GDPR proportionality, even when pseudonymized. Organizations must demonstrate data scope matches documented research purpose.
DPIA for AI systems: Any AI system processing Danish health data requires a completed DPIA using Datatilsynet's model framework.
Copenhagen Health Tech: Specific Compliance Requirements
Copenhagen's health technology sector (Leo Pharma, Bavarian Nordic, and numerous digital health startups) faces enforcement scrutiny in three areas:
Clinical AI tools: AI diagnostic tools must demonstrate GDPR Article 22 compliance and documented anonymization for training datasets. Datatilsynet found multiple companies in 2024 using training datasets containing identifiable patient CPR numbers without adequate legal basis.
Cross-border transfers: Several Danish health tech companies contracted US cloud providers for AI model training. Datatilsynet requires Transfer Impact Assessments and found SCCs alone insufficient for health data without supplementary technical measures (encryption with European key management).
Audit trail requirements: For health data processing, access logs must enable reconstruction of which patient records were accessed, by whom, and for what documented purpose — retained for at least 5 years.
56% of Danish health data breaches in 2024 involved inadequate de-identification. Organizations using CPR-validated detection with Danish language support eliminate the most common technical failure mode in Danish healthcare GDPR enforcement.
Sources: