Denmark’s Data Protection Authority Draws a Hard Line on AI, Monitoring, & Privacy Risks in 2026

Key Takeaways

• AI and Care Under Scrutiny: The Danish Data Protection Authority will closely examine the use of AI in healthcare and care settings, particularly where vulnerable individuals have limited ability to opt out of monitoring or decision-support systems.
• Home Monitoring Raises Privacy Stakes: Internet-connected medical devices and sensors used in home-based care will face targeted inspections due to rising breach risks and pressure on patients’ privacy.
• Tracking and Workplace Surveillance Persist: Danish websites’ use of tracking technologies and employers’ monitoring of employees remain priority areas, reflecting ongoing concerns about consent, proportionality, and power imbalances.
• Back-to-Basics Compliance Still Matters: Recurrent failures such as misdirected emails caused by auto-complete and weak transparency practices will drive inspections, especially where sensitive data is involved.
• Large Processors and EU Systems in Focus: Oversight will extend to major data processors, pan-European information systems, and passenger name record data, underscoring the authority’s focus on systemic and cross-border risks.

Deep Dive

In a statement recently published, the Danish Data Protection Authority laid out the areas that will receive special attention in its supervisory work this year. The priorities form the backbone of inspections, guidance, complaint handling, and European cooperation planned for 2026, and they reflect a growing unease about how fast-moving technologies are reshaping everyday data processing, often in ways individuals have little real ability to resist.

At the heart of this year’s agenda is monitoring through new technologies. The authority plans a series of targeted inspections examining whether organizations are complying with data protection rules when they deploy tools that observe, track, or control people, particularly in sensitive settings.

Artificial intelligence looms large in that effort. As AI systems become embedded across healthcare and social services, the authority is zeroing in on how decision-support tools and monitoring systems are used in patient treatment and in the care of vulnerable citizens. While the technology promises efficiency and improved outcomes, the watchdog warns that poorly designed or overly intrusive systems can undermine data subject rights, especially where individuals have limited ability to opt out. AI in care settings has been on the authority’s radar for several years, and 2026 will bring a renewed supervisory push in this area.

That concern extends into the home. The growing use of internet-connected medical devices, sensors, and cameras in home-based care has coincided with an increase in reported personal data breaches, often linked to unauthorized access through insecure devices or networks. This year, inspections will focus on whether such technologies are being deployed in a way that respects privacy and security, particularly where patients have little choice but to accept the equipment as part of their treatment.

Online tracking is another familiar issue that refuses to go away. After focusing on data collection tied to shopping apps in 2025, the authority is turning its attention to how Danish websites track users’ behavior. Despite years of enforcement and guidance, studies continue to show extensive data collection and consent mechanisms that offer little genuine choice. Oversight in this area will be coordinated with the Danish Digital Agency, reflecting the shared regulatory responsibility for how tracking technologies are used in everyday digital life.

The workplace is also back in focus. Technologies that allow employers to monitor employees can involve extensive processing of personal data and are often experienced as intrusive, particularly given the imbalance of power between employer and employee. Building on findings from a 2024 survey of monitoring practices, the authority plans targeted supervision of employers’ use of employee data in 2026, examining whether such monitoring is lawful, proportionate, and transparent.

Alongside these technology-driven themes, the authority is tightening the screws on some more familiar, but no less consequential, compliance failures. One recurring problem is misdirected emails caused by auto-complete functions. Thousands of personal data breaches are reported each year because information is sent to the wrong recipient. Although the authority tightened its expectations in 2023, requiring risk assessments and technical safeguards for auto-complete, such incidents persist. In 2026, inspections will target organizations that process large volumes of sensitive or confidential data, where the consequences of a single mistake can be severe.

Large data processors are another area of concern. The authority points to organizations that act as processors for numerous public and private sector clients, often through standardized, enterprise-scale services. While uniform solutions may be efficient, they can make it difficult for data controllers to give tailored instructions or meet their own GDPR obligations. This year’s inspections will look at whether these processors genuinely enable compliance, or whether rigid service models and change management practices leave controllers exposed.

Transparency and the right to information will be examined through a broader European lens. The authority will take part in the European Data Protection Board’s 2026 Coordinated Enforcement Framework, which focuses on how well data controllers comply with GDPR transparency requirements. Denmark has participated in similar joint enforcement actions in recent years, and the 2026 effort continues that push for more consistent enforcement across the EU.

Finally, the supervisory plan reaches beyond national borders. The authority will oversee Danish authorities’ processing of personal data in several pan-European information systems, including the Schengen Information System, the Visa Information System, EURODAC, and the EU’s new Entry/Exit System. It will also inspect how passenger name record data is processed by the Danish National Police, working alongside the Danish Intelligence Service to review the PNR Unit’s handling of sensitive travel data.

While these focus areas map out the year ahead, the authority stresses that supervision will not be limited to a fixed checklist. Cases will continue to be opened throughout 2026 in response to complaints and other relevant information. Taken together, the priorities paint a picture of a regulator increasingly concerned with how data protection holds up in practice (not just on paper) as AI, monitoring tools, and large-scale data processing become ever more embedded in daily life.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.