Protection of children, digital tracking in real life, and the use of AI in the healthcare sector are some of the Danish Data Protection Authority’s new supervisory priorities for 2025.
The continuing expansion and development of AI has long been on the Datatilsynet’s radar, yet the focus for 2025 will be on the risks of AI and generative AI in the health sector. Today, AI is being used increasingly in the sector, and even though the technology can bring many opportunities it can also create risk and harm public interests and rights, Datatilsynet says. Especially when it is used as decision support in patient treatment.
“The use of such solutions, especially in the healthcare sector, entails major risks for citizens with significant consequences,” says the regulator.
Data protection regulations already feature rules on how to comply when developing and using AI, yet Datatilsynet concludes that developments do not always follow or focus on data protection regulations.
Supervisory activities 2025
For 2025, Datatilsynet has added both new and continuing supervisory priorities. New areas include:
Protection of children
With the focus on school photography – such as the responsibilities of the school photo provider and the school – processing of information, division of data controller/data processor roles, and how information is stored and deleted.
FMK access for private practitioners and dentists
The authority has been aware of an issue with sharing access to the Common Medical Card (FMK), where employees in the same clinic have been using the same login. Therefore, Datatilsynet will monitor “the extent to which doctors and dentists ensure that employees have and use personal access to systems that include access to the FMK.”
Generative AI and the healthcare sector
Investigate how (primarily) private companies are using generative AI, with a special focus on how the sector uses decision-support AI during the treatment of patients.
Law Enforcement Act
Datatilsynet will carry out a number of supervisory activities in relation to how law enforcement authorities’* compliance with a number of provisions of the Act, and how personal data is processed.
(*The Law Enforcement Act applies to the police, the prosecution service, the probation service, the Independent Police Ombudsman and the courts).
During the year, Datatilsynet will also carry out an experiment with Finanstilsynet, the Danish Financial Supervisory Authority, on how both authorities can supervise data controllers with its separate set of rules and objectives. The goal, Datatilsynet says, is to contribute to a “simplified, coordinated and holistic supervision” in areas where there is an overlap between its data protection rules and the supervisory rules of Finanstilsynet.
Updated priorities
Similar to last year’s priority of processing personal data while shopping online and in stores, the authority will focus on digital tracking in real life. That involves how individuals’ data is collected from various apps such as shopping apps, and how their habits are disclosed.
Datatilsynet will also continue its work with the Coordinated Enforcement Framework that was adopted by the European Data Protection Board in 2020 with the aim of coordinating joint activities between European supervisory authorities to harmonize and strengthen GDPR enforcement. It has participated in the work since 2023, and will continue this year too to work with data subject’s right to erasure, how data controllers are processing deletion requests.
Datatilsynet will also keep working with the processing of personal data in pan-European information systems, and examine how authorities are processing personal data in connection with the use of several pan-European information systems.