Poor handling of access requests triggered criticism and police reports
The Danish Data Protection Agency has reported two companies to the police and proposed fines because both companies ignored orders to respond to access requests. In another case, the Agency has issued serious criticism of how a Danish authority has handled access requests.
In one case, two trade unions complained to the Danish Data Protection Agency over two companies ignoring access requests from a member. Even after several follow-ups, the companies still didn’t respond. The Agency then issued an order to both companies, but again, neither replied. As a result, the Agency reported both companies to the police and recommended a fine.
In another case, the Agency looked into the Danish Customs and Tax Administration on its own initiative. The reason was that the authority took, on average, 100 days to answer access requests. Its longest response time was 328 days. The Agency didn’t accept explanations such as internal work procedures, lack of staff, or new case law. The Authority has received serious criticism and must now submit a report to the Agency, no later than January 2026, explaining how it has handled access requests following the inspection.
IUNO’s opinion
Companies must follow the statutory procedures for answering access requests from data subjects. Requests must be answered immediately, and no later than one month after receiving them. For complicated requests, the deadline may be extended by up to two additional months, meaning a maximum of three months in total.
IUNO recommends setting up fixed procedures to handle access requests. Without them, replying can be time-consuming and difficult to manage. It’s also important to understand what it means to reject a request. Poor or incorrect handling of requests can quickly lead to a complaint to the Danish Data Protection Agency.
[The Danish Data Protection Authority’s decision in case no. 2024-432-0039 of 30 September 2025 and police report of 30 October 2025]
In one case, two trade unions complained to the Danish Data Protection Agency over two companies ignoring access requests from a member. Even after several follow-ups, the companies still didn’t respond. The Agency then issued an order to both companies, but again, neither replied. As a result, the Agency reported both companies to the police and recommended a fine.
In another case, the Agency looked into the Danish Customs and Tax Administration on its own initiative. The reason was that the authority took, on average, 100 days to answer access requests. Its longest response time was 328 days. The Agency didn’t accept explanations such as internal work procedures, lack of staff, or new case law. The Authority has received serious criticism and must now submit a report to the Agency, no later than January 2026, explaining how it has handled access requests following the inspection.
IUNO’s opinion
Companies must follow the statutory procedures for answering access requests from data subjects. Requests must be answered immediately, and no later than one month after receiving them. For complicated requests, the deadline may be extended by up to two additional months, meaning a maximum of three months in total.
IUNO recommends setting up fixed procedures to handle access requests. Without them, replying can be time-consuming and difficult to manage. It’s also important to understand what it means to reject a request. Poor or incorrect handling of requests can quickly lead to a complaint to the Danish Data Protection Agency.
[The Danish Data Protection Authority’s decision in case no. 2024-432-0039 of 30 September 2025 and police report of 30 October 2025]
Similar
New guidelines on prohibited AI practices
Managing transfer impact assessments in practice
Secret audio recordings of conversations led to serious criticism
Updated guidelines regarding breaches of data security
New rules on CCTV monitoring
The new NIS 2 Act has entered into force