Compliance glossary
Short, clear explanations of the terms used in OHS, whistleblower and GDPR work.
The written plan in the workplace risk assessment describing how the company will solve the problems the mapping has uncovered. For each issue the plan must state what will be done, who is responsible, and when it must be resolved. The action plan is a legal requirement โ a risk assessment without one is incomplete. Follow-up is also required, so the company can document that the measures were actually implemented and work.
The middle signature level defined in Article 26 of eIDAS. An advanced electronic signature must be uniquely linked to the signer, capable of identifying them, created using means under the signer's sole control, and linked to the document so any subsequent change can be detected. In practice the requirements are often met by combining identification (for example MitID) with cryptographic sealing of the document. An AES carries significantly stronger evidential weight than a simple signature and is the standard choice for documents such as employment contracts and data processing agreements.
The formal cooperation on health and safety between management and employees, mandatory in Danish companies with 10 or more employees. The AMO consists of one or more work environment groups with an elected employee representative and an appointed supervisor. Members must complete the mandatory 3-day work environment training within 3 months of being elected. In companies with fewer than 10 employees, health and safety must instead be handled in direct cooperation between employer and staff.
A mandatory meeting that every Danish employer with staff must hold at least once a year, where management and employees review the working environment. The discussion must look back at the past year, set goals and initiatives for the coming year, and assess whether the cooperation on health and safety works. Companies without a formal work environment organisation must be able to document in writing to the Working Environment Authority that the discussion took place. It ties naturally into the follow-up on the workplace risk assessment.
The record of processing activities that Article 30 of the GDPR requires controllers and processors to maintain. It must describe the purposes of processing, categories of data subjects and data, recipients, any third-country transfers, retention periods and security measures. It must be in writing, kept up to date and made available to the data protection authority on request. The exemption for companies under 250 employees is narrow, so in practice virtually every company should keep a record.
A chronological, tamper-evident record of events in a system: who did what, when, and from which address. In a signing process the audit log documents for example when the document was sent, opened and signed, and how the signer was identified. The log is central to the evidential value of electronic signatures and to demonstrating GDPR compliance, such as who accessed sensitive cases. A good audit log cannot be edited after the fact and is stored separately from the data it describes.
A specific risk assessment Danish employers must prepare when employees work with, or may be exposed to, hazardous chemical substances and materials. It replaced the former workplace instruction sheets in 2019 and must describe the hazards, the exposure, preventive measures and training requirements. The assessment must be in writing, kept up to date, and employees must be instructed in its findings. The supplier's safety data sheets are a key input.
An annual plan that spreads the company's recurring compliance tasks across the calendar year so nothing is forgotten or piles up. Typical items include the annual work environment discussion, follow-up on the risk assessment action plan, review of the Article 30 record and retention periods, testing the data breach response, revising data processing agreements and updating the employee handbook. The calendar turns compliance into an ongoing routine with clear owners and deadlines instead of a yearly fire drill. It also serves as good evidence to supervisory authorities that the company works systematically.
One of the GDPR's six lawful bases for processing personal data. Valid consent must be freely given, specific, informed and unambiguous โ and given by an active step, such as ticking a box that is not pre-ticked. The data subject can withdraw consent at any time, and doing so must be as easy as giving it. The company must be able to document that consent was properly obtained, and in employment relationships consent is rarely suitable because the imbalance of power makes voluntariness doubtful.
The company, authority or person that determines the purposes and means of processing personal data. The controller carries the main responsibility for GDPR compliance: a legal basis, transparency obligations, security, documentation and the rights of data subjects. An employer, for example, is the controller of its employees' HR data. If the controller uses vendors for processing, data processing agreements must be concluded with them.
The written agreement that Article 28 of the GDPR requires between a controller and a processor. It must define the subject matter and duration of the processing, the types of data, the processor's obligations, security requirements, rules for sub-processors, and assistance with data breaches and access requests. Without a valid DPA it is unlawful to let a vendor process personal data on the company's behalf. The Danish Data Protection Agency has published a standard template that many SMEs use as a starting point.
A company or person that processes personal data on behalf of a controller and on its instructions โ for example a cloud provider, a payroll bureau or an HR system. The processor may not use the data for its own purposes and must meet the GDPR's requirements for security and confidentiality. The relationship must be governed by a written data processing agreement. If the processor uses subcontractors (sub-processors), the controller's authorisation is required.
A request from an individual to learn what personal data the company processes about them โ a right under Article 15 of the GDPR. The company must disclose the purposes, categories of data, recipients and retention period, and provide a copy of the data. The response must be given without undue delay and no later than one month after receipt; the deadline can be extended by two months for complex requests. The response is free of charge for the data subject as a rule.
The rights the GDPR gives individuals whose data is processed: the right to information, access, rectification, erasure (the right to be forgotten), restriction of processing, data portability and objection โ plus protection against purely automated decisions with significant effects. The company must have procedures so requests are answered within one month. The rights are not absolute; erasure can for example be refused if the data must be retained under bookkeeping law. Poor handling of these rights is one of the most common causes of complaints to data protection authorities.
An impact assessment required by Article 35 of the GDPR when a processing operation is likely to involve a high risk to data subjects โ for example systematic monitoring, large-scale processing of sensitive data, or new technology such as facial recognition. The assessment must describe the processing, evaluate necessity and proportionality, map the risks and define mitigating measures. If the risk cannot be reduced, the data protection authority must be consulted before processing begins. The Danish DPA has published a list of operations that always require a DPIA.
The digital system Danish employers must use to report work accidents to the Working Environment Authority and Labour Market Insurance. EASY is accessed via Virk.dk using the company's MitID Erhverv, and a single report is automatically routed to the relevant authorities and, where applicable, the insurer. Reporting through EASY is mandatory โ paper forms are not accepted. It is good practice to record the facts of the accident internally right away, so the EASY report can be completed correctly within the deadline.
The EU regulation on electronic identification and trust services (910/2014), creating common rules for electronic signatures, seals and timestamps across the EU. eIDAS defines three levels of electronic signatures โ simple (SES), advanced (AES) and qualified (QES) โ and establishes that a signature cannot be denied legal effect solely because it is electronic. The regulation has been updated by eIDAS 2.0, which among other things introduces a European digital identity wallet. For SMEs, eIDAS means documents such as employment contracts can be validly signed digitally.
The company's collected description of rules, policies and practical matters for employees โ such as working hours, sickness reporting, holidays, IT and data protection policy, substance policy and guidelines against offensive behaviour. The handbook is not required by law, but it gathers documentation that other rules do require and creates clarity about what applies. Terms in the handbook can have employment law effect, so material changes must be properly notified. Good practice is to have employees digitally acknowledge that they have read the current version.
The EU regulation on the protection of personal data, applicable since 25 May 2018 and supplemented in Denmark by the Data Protection Act. GDPR sets requirements for how companies collect, use, store and delete personal data, and gives data subjects a range of rights. Companies must be able to document their compliance โ the accountability principle. Violations can be fined up to EUR 20 million or 4% of global annual turnover.
The international standard for information security management systems (ISMS). It requires an organisation to systematically identify its information security risks and manage them through policies, controls and continual improvement; the control catalogue is found in Annex A and elaborated in ISO 27002. Certification is performed by an accredited certification body and is voluntary, but increasingly demanded by customers and in tenders. For SMEs, full certification is often oversized, but the principles โ risk assessment, access control, logging and incident response โ are a good model for security work.
A lawful basis under Article 6(1)(f) of the GDPR, allowing a company to process ordinary personal data if its legitimate interests outweigh the interests and rights of the data subject. The basis requires a documented balancing exercise โ a legitimate interests assessment โ and the processing must be necessary for the purpose. Typical examples are direct marketing to existing customers, IT security and internal administration. The data subject always has the right to object to processing based on legitimate interest.
Denmark's national digital ID, which replaced NemID and is used to log in to public services, banks and private services. MitID is notified under eIDAS and can be used to identify the signer in an electronic signing process, raising the signature to the advanced level (AES). Companies use MitID Erhverv to act on the company's behalf, for example in EASY and on Virk.dk. In document signing, a MitID login provides strong evidence of who actually signed.
An incident that could have caused a work accident but where no one was hurt โ for example a tool falling right next to an employee, or a slip that almost ends in a fall. Near misses do not have to be reported to the authorities, but they are one of the most valuable tools for prevention. By recording and analysing them systematically, a company can remove risks before they cause a real accident. Patterns in near misses should feed into the workplace risk assessment.
The EU cybersecurity directive (2022/2555), which tightens the security requirements for network and information systems for essential and important entities across many sectors โ such as energy, transport, health, digital infrastructure and food. Covered companies must implement risk management, address supply chain security and report significant incidents to the authorities, with substantial fines for non-compliance; management can be held personally liable. NIS2 typically applies to medium-sized and large companies in the covered sectors, but smaller suppliers are also affected indirectly through customer requirements. In Denmark the directive has been implemented by law with effect from 1 July 2025.
The documents a new employee must receive and sign when starting a job. The most important is the employment contract: under the Danish Employment Certificate Act of 2023, the essential terms must be provided in writing no later than 7 calendar days after the first working day, and the rest within a month. Typically added are a confidentiality declaration, IT and data protection policy, equipment handover, acknowledgement of the employee handbook and the GDPR privacy notice on processing of employee data. Digital signing with an audit trail makes it easy to prove that everything was delivered and accepted on time.
A security incident leading to the accidental or unlawful destruction, loss, alteration or unauthorised access to personal data โ for example an email sent to the wrong recipient, a lost laptop or a hacking attack. A breach must as a rule be notified to the data protection authority within 72 hours, unless it is unlikely to pose a risk to data subjects. If the risk is high, the affected individuals must also be informed. Every breach โ including those not notified โ must be documented in an internal log.
The part of the workplace risk assessment that covers the psychosocial working environment: workload, unclear demands, bullying, harassment, violence and offensive behaviour. It is not an optional extra โ psychosocial factors must always be included in the APV alongside physical risks. The rules were clarified in the Danish executive order on psychosocial working environment from 2020. Many companies map it through anonymous questionnaires so employees feel safe answering honestly.
The highest signature level under eIDAS: an advanced electronic signature created with a qualified signature creation device and based on a qualified certificate issued by an approved trust service provider. A QES has the same legal effect as a handwritten signature throughout the EU and is recognised across member states. It is only required in special cases where the law imposes formal requirements โ for ordinary business agreements, an AES or SES is usually sufficient. In return, the burden of proof is effectively reversed: with a QES, the party disputing the signature must prove it is not genuine.
Any unfavourable treatment of a whistleblower as a consequence of a report โ for example dismissal, demotion, harassment, worse assignments or exclusion from promotion. The Whistleblower Act prohibits retaliation, and threats and attempts of retaliation are also unlawful. If a whistleblower nonetheless suffers retaliation, they are entitled to compensation, and the burden of proof can shift so the employer must show the treatment was unrelated to the report. The protection applies when the reporter believed in good faith that the information was accurate.
The periods a company sets for how long different types of personal data are kept before being deleted or anonymised. The GDPR's storage limitation principle requires that data is not kept longer than necessary for the purpose. The periods must be documented โ typically in the Article 30 record and a deletion policy โ and they must actually be enforced in practice. Some periods follow from other legislation, such as the Danish Bookkeeping Act's requirement to keep accounting records for 5 years.
The European Commission's standard contracts that companies can use as a transfer mechanism when personal data is sent to countries outside the EU/EEA without an adequacy decision. The current 2021 SCCs come in modules covering different combinations of controllers and processors. The clauses must be signed unamended, and after Schrems II they must be supplemented with an assessment of the recipient country's laws and, where needed, extra safeguards such as encryption. In practice, SCCs are the most widely used transfer mechanism for SMEs.
The special categories of personal data in Article 9 of the GDPR: racial or ethnic origin, political, religious or philosophical beliefs, trade union membership, genetic and biometric data, health data, and data concerning sex life or sexual orientation. Processing is prohibited by default and requires a specific exception, such as explicit consent or necessity under employment law. Sensitive data demands heightened security, and in Danish law national ID numbers and criminal records are governed by their own separate rules. Many HR and whistleblower cases contain sensitive data and therefore need extra protection.
The basic signature level under eIDAS: data in electronic form attached to other electronic data and used by the signer to sign โ for example a typed name under an email, a scanned image of a signature, or a click on an accept button. An SES is legally valid for the vast majority of agreements in Denmark, where freedom of form applies. Its evidential weight, however, depends on how well you can document who signed and that the document was not altered. That is why an SES is greatly strengthened by an audit trail and a cryptographic hash of the document.
A cryptographic fingerprint of a document, computed with a hash function such as SHA-256. Even the smallest change in the document โ a single character โ produces a completely different hash value, and it is practically impossible to construct another document with the same hash. When a document is signed electronically, its hash is stored so it can later be proven that the signed document has not been altered. The hash reveals nothing about the document's content and can therefore be shared freely as proof of integrity.
The rule in the Danish Working Time Act that an employee's average weekly working time must not exceed 48 hours including overtime, measured over a 4-month reference period. The rule stems from the EU Working Time Directive and applies to virtually all employees. Violations can trigger compensation to the employee, and since 2024 employers must be able to document compliance through working time registration. A few collective agreements allow a higher limit for selected groups under specific conditions.
The deadline in Article 33 of the GDPR for notifying a personal data breach to the data protection authority: without undue delay and where feasible no later than 72 hours after the company becomes aware of the breach. The clock also runs on weekends and public holidays. If the deadline is missed, the notification must explain the delay. If not all information is available in time, the notification can be made in phases โ the key is to report what you know on time.
The Danish supervisory authority for data protection, overseeing compliance with the GDPR and the Danish Data Protection Act. It handles complaints from citizens, conducts inspections of companies and authorities, receives data breach notifications, and publishes guidance and templates. It can express criticism, issue orders and recommend fines โ in Denmark GDPR fines are generally set by the courts following a police report. Its guidance documents are a good starting point when an SME sets up its GDPR documentation.
The Danish act implementing the EU Whistleblower Directive (2019/1937), in force since December 2021. It obliges private companies with 50 or more employees and most public employers to establish an internal whistleblower scheme โ the requirement has covered companies with 50-249 employees since 17 December 2023. The act protects whistleblowers against retaliation and requires confidentiality, acknowledgement of receipt within 7 days and feedback within 3 months. Violations can lead to fines and liability for damages.
The Danish authority that supervises compliance with the Working Environment Act. It carries out both announced and unannounced inspections and can issue improvement notices, immediate enforcement notices and prohibitions, as well as recommend fines. During inspections it typically asks for the workplace risk assessment, the annual work environment discussion and documentation of the work environment organisation. Companies with their written documentation in order get through inspections far more smoothly.
A transfer of personal data to countries outside the EU/EEA โ for example when a company uses a US cloud service. The transfer requires a valid transfer mechanism under Chapter V of the GDPR: an adequacy decision from the European Commission (such as the EU-U.S. Data Privacy Framework), standard contractual clauses (SCCs) or binding corporate rules. Following the Schrems II ruling, the company must also assess whether the level of protection in the recipient country is genuinely adequate. Third-country transfers must appear in the Article 30 record and the privacy policy.
Electronic proof that certain data existed at a specific point in time. In signing and compliance contexts, a timestamp binds the document's hash to a moment in time, making it possible to prove when a document was signed or recorded. eIDAS regulates qualified electronic timestamps, which are issued by approved trust service providers and enjoy a presumption of accuracy. Reliable timestamps also matter in audit logs, for example to document that a data breach was notified within 72 hours.
An internal channel where employees and others with a work-related connection can confidentially report legal violations and serious matters โ such as fraud, bribery, GDPR breaches or sexual harassment. The scheme must have an impartial whistleblower unit that acknowledges receipt within 7 days and provides feedback within 3 months. The reporter's identity must be protected, and only people with a need may access the cases. The scheme must be described in writing, and employees must have easy access to information about how to use it.
A sudden event connected to work that causes personal injury โ for example a fall, a crush injury or an acute strain. The employer must report the accident digitally in EASY if it causes absence beyond the day of injury, and the report must be filed no later than 14 days after the first day of absence. Accidents that may entitle the employee to compensation under the Workers' Compensation Act must also be reported. Failure to report can be fined, and accidents should always be followed up with preventive action in the risk assessment.
Since 1 July 2024, Danish employers must operate an objective, reliable and accessible system that records each employee's daily working time. The requirement follows from the amendment to the Danish Working Time Act implementing EU Court of Justice case law, and it must make it possible to verify the 48-hour rule and rest period rules. The records must be kept for 5 years, and employees must be able to access their own data. So-called self-organisers can be exempted, but the exemption is narrow and must be stated in the employment contract.
A mandatory assessment of the working environment that every Danish employer with staff must carry out at least every 3 years, and whenever work changes significantly. It consists of four steps: mapping the working environment, assessing the problems, a written action plan and follow-up. The requirement comes from section 15a of the Danish Working Environment Act, and the Working Environment Authority can ask to see it during inspections. The method is up to you, but the result must be in writing and available to employees.