RODO in Denmark

RODO is a European Union law that requires companies operating in the European Union to justify how certain data is collected and used. Failure to comply with RODO can seriously affect a business, as it risks fines and in some cases even prison sentences. RODO stands for the Regulation on the Protection of Personal Data. Personal data such as social security numbers, dates of birth and most other personally identifiable information are typically subject to the RODO. The General Data Protection Regulation, also known as RODO, went into effect on May 25, 2018.

RODO does not only apply to companies operating in EU countries, it also covers non-EU countries whose customers or potential customers live in EU countries. RODO was enacted to help protect consumers from illegal data collection practices. Previous data collection laws were enacted before the proliferation of the Internet, so the enactment of RODO aims to update and expand these protections in the new era of big data collection and data collection procedures. The RODO is primarily concerned with consumer "personal data," but a business with EU customers or doing its own business in the EU should also take other important factors into consideration.

[infografika] The general points that the RODO contains are:

1. how companies can use people's data.
2. How companies collect and use personally identifiable information.
3. How companies justify the use of such data.

Personally identifiable data (PII) subject to the RODO means any information relating to or capable of identifying an individual, otherwise known as a "data subject." The most common examples of RODO data are: 

• personal identification number, 
• health data, 
• phone number, 
• date of birth, 
• email address,
• location,
• IP address.

Under RODO, companies must follow stricter rules for collecting consumer data and what they do with it. The company must collect data through "opt-in" measures that allow the consumer to choose whether or not to provide their information. These measures typically include adding a disclaimer about the DPA when collecting data. Companies must also implement data collection policies that ensure that consumer data processing is limited to what is necessary, and only keep data for as long as it serves its purpose. 

Because of RODO, many companies are choosing to mask their data by:

1. Data pseudonymization - this process also masks data by replacing identifying data with artificial identifiers, but its use is limited compared to data encryption.
2. Data encryption - this process obscures information by replacing identifiers with something else. The data is then available only to "approved users" who can see the full data set.

Some not-so-recognizable data sets are also included in the RODO because they can be used to identify a person. These relatively rare data points include information that is usually considered private and subjective, such as religion, genetic data, ethnic or racial background, weight, political opinions, eye color, other character traits, and trade union membership.

Under the provisions of the RODO, there may be situations in which the requested data is not subject to the RODO because it may not be unique to an individual. For example, someone's name may not always be personal data, as many people have the same name. However, when a person's name is combined with other data, such as employment, phone number or permanent address, this is directly subject to the RODO. It is up to the company's compliance team to determine the context in which the data is collected.