The Danish Data Protection Agency is the responsible supervisory authority in Greenland, but the rules governing data protection differ from those in Denmark. In Greenland, the legal framework is based on the Danish data protection rules that were in effect prior to the GDPR.
Although the rules share similarities, there are notable differences. For example, companies are generally required to report data processing activities in advance, and there is no specific framework for CCTV monitoring, unlike in Denmark. Despite the differences, the Danish Data Protection Agency has confirmed that most of its guidance on data processing in Denmark is equally applicable to Greenland.
In addition to complying with data protection rules as part of your processing activities, the data you transfer from the EU must maintain a level of protection that is essentially equivalent to that within the EU. To ensure that, you will need to conclude standard contractual clauses or other transfer mechanisms. The relevant transfer mechanism will depend on the transfer situation. Also, the mechanism cannot stand alone. The so-called ‘transfer impact assessment’ is also needed to prove that the data is guaranteed an appropriate level of protection following the transfer. We have previously elaborated on that requirement here.
iuno’s opinion
Many find it confusing that data cannot flow freely and that the data protection rules are not identical across the Danish Realm. However, unlike Greenland, the Faroe Islands have an adequacy in place, which makes it significantly easier to handle cross-border data flows.
iuno recommends that companies become familiar with the applicable data protection rules before commencing processing activities in a new country. Although the rules may appear similar at first glance, actual practice and administrative requirements may impact the risk in practice.