The regulations specifically relevant for doing business online and which apply to both business-to-business (B2B) and business-to-consumer (B2C) include the:

For B2C, the Consumer Contracts Act and the Consumer Complaints Act are also relevant.

Further, the Danish Consumer Ombudsman issues guidelines on the interpretation of consumer-specific regulation regarding, for example:

The Danish Parliament passes all legislation in Denmark. An act can authorise the responsible ministry to specify regulations within given limits. This takes place by means of executive orders (for example, the Danish Business Authority issued an executive order on cookies under the Act on Electronic Communications Networks and Services (implementing the E-Privacy Directive (2002/58/EC))).

In addition, the Danish Consumer Ombudsman issues guidelines on the interpretation of consumer-specific regulations, including in relation to:

Further, the Danish Competition and Consumer Authority supervises consumer protection legislation, and the Danish Data Protection Agency supervises all organisations and public authorities' processing of personal data.

To establish a business in Denmark, a Danish business registration number (CVR number) must be obtained, through www.virk.dk. Further, anyone with a CVR number must have a digital mailbox for letters from public authorities such as the Danish Business Authority and SKAT (the Danish Tax Authority). The mailbox is free and can be set up on www.virk.dk.

It is usually advisable to establish a business as a limited liability company by forming either a:

It is also possible to establish a sole proprietorship (enkeltmandsvirksomhed), but this entails personal liability for the owner. The most appropriate corporate-entity solution depends on the specific facts and circumstances, including tax, commercial and financial considerations.

Further, a number of documents must be prepared and must be available on the company's website. These include:

The types of parties that online businesses typically contract with include:

It is critical that the online business ensures it holds all the necessary rights to the website development, to operate its business and implement changes. The service levels on operation efficiency and response times should also be agreed with providers. Further, where appropriate, data processing agreements must be entered into with contract parties processing personal data on behalf of the online business.

There is no specific law or guidance affecting the design of the website or app. However, the online business must comply with the rules of the Marketing Practices Act, including the rules on marketing aimed at children.

If an online business engages with an external app developer to develop an app, the agreement should specify that the copyright to the app lies with the business. Otherwise, the copyright vests with the app developer even though the app developer has been engaged to develop the app on behalf of the online business. As a minimum, the business must ensure that it has the necessary rights to use the app in accordance with its needs and that any third-party copyright is handled accordingly.

An app is typically distributed through an app store (for example, Apple's app store, Google's Android's Market and Microsoft's Windows Store), so it is necessary to conclude an agreement regarding such distribution. Standard agreements, including the technical requirements, are publicly available on the particular app store's website.

Further, the business must ensure that the content and functionalities contained in the app comply with the applicable legislation, such as consumer protection legislation, privacy and cookie legislation, and applicable legislation on contracts.

Contracts can be formed electronically.

An agreement is formed when an offer from one party has been accepted by another party. Applicable terms and conditions often state that the display of products or services on the website does not constitute an offer to customers but merely a request to make an offer, and that the business is not bound by the customer's placing of an order until the customer's offer has been accepted in writing. However, if the customer is a consumer, it must be very clear that the display of products and services is not an offer to be accepted by the consumer. Accordingly, it is not sufficient to state this in the terms and conditions. The information must be presented in such a way that it is evident that the consumer's placing of an order is only an offer made to the business.

In relation to consumer contracts, certain information requirements must be complied with. Otherwise, the consumer may claim that they are not bound by the agreement. These information requirements are set out in the Danish Consumer Contracts Act:

These provisions transpose the Consumer Rights Directive (2011/83/EU), and its predecessors). The information requirements include an obligation for the online business to provide the consumer with information on the goods' or services' most important characteristics.

If an agreement is concluded through a website, the website must also comply with the information obligations under the E-Commerce Act, including information on name, physical address, e-mail, CVR number (business registration number), and so on.

Further, in most cases, the Danish Consumer Contracts Act grants consumers a 14-day right of withdrawal or "cooling-off period", as long as the purchase has taken place online or otherwise qualifies as distance selling. However, among other things, hotel reservations, airplane tickets and gambling are not covered by the 14-day right of withdrawal. If the consumer has been duly notified of the cooling-off period at the time of purchase of, for example, goods, the cooling-off period starts at delivery. If the consumer has not been duly notified of the cooling-off period, the cooling-off period only starts when the consumer has been duly notified of it.

Freedom of contract applies to a great extent in B2B contracts. However, the Danish courts may declare invalid certain terms deemed unusual, unexpected or burdensome, in particular in relation to consumer contracts. Any term that deviates from mandatory consumer law is not enforceable.

Therefore, browse-wrap and shrink-wrap contracts are usually either censored or set aside by courts, unless they are trivial. Click-wrap contracts are enforced to a higher degree, but unusual, unexpected or burdensome terms should be highlighted to ensure that the accepting party is made aware of these. Generally, the clearer the wording of the contract and the rights/obligations to be undertaken by the parties are, the more likely it is that the contract will be enforceable.

There are no limitations in relation to electronic contracts, including in relation to real estate.

Information subject to the requirements in section 8 of the Danish Consumer Contracts Act must be provided to the consumer in Danish, if the product or service has been marketed in Danish, unless the consumer expressly gives consent to receive the information in another language. The same applies to the marketing of a voluntary guarantee to consumers.

The Danish Contracts Act provides a general legal framework for entering into contracts. The rules are technology neutral and apply to both businesses and consumers. The Danish Contracts Act contains in its section 36 a general clause, which can be used to have unreasonable or dishonest contracts or clauses declared null and void. In practice, the general clause is primarily used to declare a contract or a specific provision null and void in exceptional cases, where retention of the contract or provision is unreasonable.

The Danish Contracts Act provides mandatory legislation in favour of the consumer, for example in relation to entering into and the validity of consumer contracts. The Danish Sale of Goods Act also provides mandatory legislation in favour of consumers, for example in relation to defects that become apparent within the first six months from delivery of the good(s)/passing of the risk. In this case it is generally presumed that the defects were present at the time of delivery.

In addition, the Danish Consumer Contracts Act contains a regulation on the validity of consumer contracts (for goods and services). Most notably, in the case of online or distance selling, the seller must provide certain information to the consumer, or the consumer is not bound by the contract.

The Danish Credit Contracts Act contains a specific provision for consumers regarding the validity of retention of title. Further, the consumer is required to receive certain information about the credit purchase from the seller before entering into a contract. Otherwise, the consumer will not be considered bound by the contract.

The Platform to Business Regulation (P2B Regulation) (2019/1150/EU) also applies in Denmark, supplemented by the Danish law on the enforcement of the P2B Regulation. The P2B Regulation provides for harmonised rules on, for example, requirements for fair and transparent contractual terms offered by the online intermediate services ("platforms") to business customers ensuring good commercial conduct.

Neither the General Data Protection Regulation (GDPR) ((EU) 2016/679) nor the Danish Data Protection Act contains any specific requirements other than data must be deleted when the purpose of the processing has been fulfilled.

There are a few national retention requirements, for example in the Danish Bookkeeping Act, which requires that any data relevant for bookkeeping purposes must be stored for at least five years from the end of the accounting period to which the data relates. However, it is generally up to the business to decide when the data is no longer relevant and consequently should be deleted. Many businesses rely on the Danish Limitation Act to determine a retention period for specific categories of personal data.

"E-mærket" is a well-accepted trust mark (www.emaerket.dk). The organisation is established by several major Danish associations that represent consumers' as well as businesses' interests. Representatives of the associations are members of E-mærket's board of directors.

To use E-mærket, the business must file an application and meet certain requirements to qualify. Most notably these include:

For more details, see www.emaerket.dk/certificering-hos-e-maerket ("betingelser & retningslinjer"). Once accepted, the business is granted the right to use E-mærket's logo and the services provided by E-mærket. An annual member fee of between DKK8,388 and DKK29,988 excluding VAT must be paid, depending on the number of employees and whether instalments are paid on a monthly or annual basis.

The remedies for breach of an electronic contract are the same as for any other contract. However, in respect of electronic consumer contracts, a consumer is not bound by the contract if certain information was not provided before the conclusion of the agreement, as mentioned in Question 7.

Danish law recognises e-signatures.

General rules on contracts apply to e-signatures.

The Electronic Identification Regulation (eIDAS) ((EU) 910/2014) also applies.

An electronic signature is data in electronic form which is attached to or logically associated with other data in electronic form, and which is used by the signatory to sign (eIDAS).

Outside of eIDAS, e-signatures are generally defined as any form of electronic or digital way of indicating a willingness to be bound.

Generally, there is no legal requirement for the format of e-signatures. However, certain public systems, for example a registration of title to land, require the use of the national MitID electronic signature.

Generally, there are no limitations on the use of e-signatures. If an e-signature is disputed, the party claiming that the signature is valid must prove this.

However, there are a few exceptions in relation to enforcement through the bailiff's court, for example regarding mortgage deeds. When enforcing credit agreements through the bailiff's court, the e-signature must meet or surpass the requirements of the OCES standard (a national Danish standard for electronic certificates). It sets certain technical minimum requirements as well as requirements in relation to the issuance of the e-signature.

Collection and processing of personal data is regulated in the GDPR and the Danish Data Protection Act.

The laws apply to anyone processing personal data by electronic means and to most non-electronic processing of personal data, except where, for example, the processing takes place in the course of a purely personal or household activity.

As for territorial scope, the GDPR applies among all EU member states. Specifically, it applies to the processing of personal data:

The Danish Data Protection Act applies to all businesses established in Denmark, regardless of whether the processing takes place in Denmark or not. Where a business is not established within the EU, the Danish Data Protection Act also applies to businesses that:

The GDPR and the Danish Data Protection Act regulate any information relating to an identified or identifiable natural person (that is, personal data as defined in Article 4(1) of the GDPR). The definition of personal data has in the past years expanded significantly due to technological developments. Businesses should be aware that although data may seem anonymised based purely on the data held by the business, the data may in combination with other data which can reasonable and legally be accessed by the business, become identifiable and therefore constitute personal data.

Personal data is divided into categories, ranked by sensitivity:

The Danish Data Protection Act supplements the GDPR with national regulation of certain categories: criminal records (section 8) and social security numbers (that is, CPR number) (section 11).

Both the collection and use (that is, processing) of personal data is subject to the GDPR and the Danish Data Protection Act. Collection and processing of personal data is generally prohibited, unless a legal basis for the processing can be identified. Legal bases for digital businesses are typically performance of a contract, legitimate interest or consent, but there are many other legal bases that may be relevant depending on the circumstances.

Stricter limitations on collection and processing apply to the collection and processing of sensitive personal data (that is, data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, sex life or sexual orientation, genetic data and biometric data for the purpose of uniquely identifying a natural person).

Additionally, all processing of personal data must comply with the general data protection principles, such as the principles on data minimisation, purpose limitation, storage limitation, and so on (Article 5, GDPR).

The GDPR and the Danish Data Protection Act do not as such restrict the use of cloud services. However, due to the nature of cloud services, special attention should be given to the security set up, the use of sub-data processors and transfer of personal data to recipients outside the EEA.

Transfers to non-EEA countries is restricted under the GDPR and will require a transfer tool, such as for example, the EU Commissions Standard Contractual Clauses and an assessment confirming that law and practice in the recipient country do not impinge on the protection of personal data provided by the EU Commissions Standard Contractual Clauses.

The Danish Data Protection Act contains a "location requirement rule", under which "nationally critical" IT systems kept for public administration (containing personal data) must usually be stored and accessed only in Denmark. Nationally critical IT systems are included on a special list issued through an Executive Order (accessible here: www.retsinformation.dk/eli/lta/2022/220 ). Only a few national IT-systems are currently included on the list.

As further detailed in Question 21, payments data can be processed provided that the processing is done in accordance with certain principles and rules provided in the Danish Payments Act.

The police can, by means of a court order, gain access to or compel disclosure of personal data when investigating crime, if there is reason to believe that the information can be used as evidence and that the evidence cannot be obtained through other less intrusive means.

Other public authorities may be granted a right to access or compel disclosure of personal data in certain situations. For example, the Danish Taxation Authorities can request access or compel disclosure of any information, among others personal data from any company, provided that such information is of importance in relation to controlling calculation and payment of correct taxes. The rules cannot be used to obtain private information on persons if controlling of payment of correct taxes can be done without access to that information.

The use of cookies is allowed and regulated by the "Cookie Order", an executive order implementing rules on cookies set out in the E-Privacy Directive. Cookies must not be set or read without the end-user's prior informed consent, except where the cookie is strictly necessary to provide the requested service. A cookie consent is typically obtained through a cookie banner displayed on the website. In addition, the website owner must provide a cookie policy explaining in depth which cookies are used, for how long, and so on.

The cookie consent banner must include the purpose(s) for which cookies are set or read (all purposes must be listed, such as functionality, targeted marketing, and statistics) and who sets or reads cookie data obtained from the website. In the banner it is sufficient to simply name the website owner and "third parties" (although a list of these must only be one click away). The cookie banner must also include a direct link to the cookie policy where the end-user can access further information about the website's use of cookies and how to withdraw cookie consent. Finally, the cookie banner must have an accept and a decline option for the website user to click.

The cookie policy must include the following information, written in a clear and intelligible language:

The cookie consent allows for cookies to be set and read on the website user's equipment. If data that is collected by the cookies is personal data (which it will be in most cases), the rules laid down in the GDPR and the Danish Data Protection Act apply.

For further information on the use of cookies and the link between data protection and cookies, please refer to the Danish Business Authority's guidelines on how to comply with the Cookie Order and the Danish Data Protection Authority's guidelines on processing of personal data about website users (including a new quick guide, which can be accessed here: www.datatilsynet.dk/Media/E/7/Quickguide.pdf).

When processing personal data, the data controller must establish appropriate technical and organisational security measures to protect personal data against destruction, loss or alteration, and against unauthorised disclosure, abuse or processing in violation of the GDPR and the Danish Data Protection Act.

Providers of electronic communication networks and services must ensure on a continuous basis that appropriate technical and organisational measures are in place to control risks in relation to information security. The appropriate level of security must be set considering the level of technological developments and relevant risks must be taken into account.

When handling credit or debit card payment information, businesses must ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS) stipulating how to handle payment card information. Most e-businesses ensure compliance by outsourcing handling of payment card information to payment service providers.

For technical requirements, see Question 21.

As of 1 January 2019, both public and private organisations must use encryption when transmitting sensitive and confidential personal data by e-mail through open networks such as the internet. Previously, only public authorities were required to use encryption, but as a result of the risk-based approach in the GDPR, the Danish Data Protection Agency has decided to extend this requirement to private organisations as well. The Danish Data Protection Agency has clarified that TLS encryption must be TLS 1.2 or higher.

On its website, the Data Protection Agency describes how organisations can transmit personal data safely through open networks (by listing different types of appropriate encryption methods). See www.datatilsynet.dk/emner/persondatasikkerhed/transmission-af-personoplysninger-via-e-mail/ for more details.

As of 22 October 2020, the Data Protection Agency further specified that no data controller should request data subjects to send sensitive or confidential personal data through an unencrypted internet connection. The obligation (as a data controller under Danish jurisdiction) to ensure appropriate security applies not only from the point in time the data controller receives the data, but from the point in time the data subject sends the requested information to the controller. The controller therefore has an obligation to provide a sufficiently secure two-way transmission solution. This obligation does not apply where the data subject provides unrequested personal data or actively chooses not to make use of a secure transmission solution. See www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/okt/maa-man-opfordre-borgere-til-at-bruge-en-ukrypteret-forbindelse for more details.

Businesses can freely choose to accept any form of payment in non-cash instruments, provided that they also accept cash in certain periods. For security measures in relation to payment cards, see Question 19. When accepting payments from cards issued in Denmark, web shops cannot charge any additional fees for accepting the cards. Certain cards are, however, excluded from the ban on charges, and fees can be applied to mobile payments and company cards.

Non-cash payment is regulated in detail in the Payments Act, which transposes the Revised Payment Services Directive (PSD2) ((EU) 2015/2366) into Danish law. The Financial Supervisory Authority monitors and supervises compliance with the Payments Act, while the Consumer Ombudsman and the Competition and Consumer Authority ensure consumer rights as well as equal access to the payments market.

Businesses must comply with certain conditions and principles detailed in the Payments Act when processing payments data.

To ensure the security of payment services, businesses must comply with certain technical requirements in accordance with the Regulatory Technical Standards issued by the European Banking Authority. Among these is the requirement for businesses to implement strong customer authentication (SCA) by the end of 2020. Generally, SCA has been implemented. The Danish FSA is discussing SCA implementation with the relevant stakeholders in the sector on an ongoing basis.

The Danish Marketing Practices Act sets out an obligation to conduct all marketing aimed at children and persons under the age of 18 in accordance with the special needs of this particular group. This obligation fully applies to website materials aimed at children and persons under the age of 18. The Danish Consumer Ombudsman has issued a guidance paper on marketing directed at children and young people (see www.consumerombudsman.dk/media/14560/guidance-on-children-young-people-and-marketing.pdf).

Websites should be particularly diligent with regard to directly or indirectly inciting violence or other dangerous or inconsiderate behaviour, and should avoid making unwarranted use of violence, fear or superstition to influence children and young people. Marketing on websites should not mention or include images of or references to intoxicants, including alcohol. Websites should avoid practices that can be considered as aggressive or unclear towards children and young people. Further guidance can be found in the code of marketing and advertising issued by the International Chamber of Commerce.

Companies granted licences for use of their online digital content or software in other jurisdictions can invoke the protection of the Danish Copyright Act against the unauthorised use of their online digital content or software in Denmark.

In general, the Danish rules on linking are reflected in the Court of Justice of the European Union (CJEU) judgment in Nils Svensson and Others v Retriever Sverige AB (C-466/12) (Svensson/Retriever). According to this judgment, deep linking to copyright protected works is in general permitted (that is, there is no need for consent from the rights holder).

However, some far-reaching limitations apply:

Metatags and advertising keywords must not infringe competitors' trade marks (for example, by way of misleading or diverting customers to a website with similar products to the competitors' products).

In addition, metatags and advertising keywords must not constitute unfair marketing practices.

The registration of ".dk" domains is regulated by:

DK Hostmaster A/S, dk-hostmaster.dk, has been appointed as administrator of the .dk domain.

Any person can register a ".dk" domain name. It is not a requirement to be a resident in Denmark.

Further, DK Hostmaster A/S can decide to suspend a domain name if, among other things:

Disputes about infringement of trademarks, good domain name practice or decisions made by DK Hostmaster are handled either by the Complaints Board for Domain Names or the ordinary courts in Denmark. Decisions from the Complaints Board for Domain Names can be brought before the ordinary courts.

DK Hostmaster will also transfer, delete or block a domain name if:

A domain name does not in itself confer any additional rights. A domain name is licensed rather than owned, but the use may over time constitute an unregistered trademark.

A domain name can be registered as a trademark provided that the general requirements for registration are fulfilled. Danish trademarks are registered with the Patent and Trademark Office. Unregistered trademarks offer to their proprietor a limited protection against identical/similar trademarks for goods or services identical to those covered by the unregistered trade mark.

The name of a business must be clearly distinguishable from the names of other businesses registered with the Danish Business Authority (DBA) and the rules are:

If the business is a company with limited liability, the business and its name must be registered with the DBA and the company must always state that it has limited liability. As the DBA only examines whether there is a business registered with an identical business name, it is recommended to do a thorough search before filing a name, to ensure that the name is not confusingly similar to another business name.

There are no specific rules on jurisdiction for internet transactions, so the general rules on jurisdiction apply.

If an action is brought against a defendant within the EU, the Brussels Regulation ((EC) 44/2001) applies. If the defendant is domiciled within the EU, the main rules of the Brussels Regulation are:

If an action is brought against a defendant domiciled in a country outside the EU and that country has acceded to the Lugano Convention, the Lugano Convention applies. Currently, Norway, Iceland, Switzerland, Denmark and the EU have joined the Lugano Convention. The convention is a "parallel convention" to the Brussels Regulation and, accordingly, the rules in the two regimes are generally the same.

There are no specific rules on the choice of law for internet transactions.

A distinction must be made between matters regarding contract law and matters regarding tort law.

Rome II applies within the EU. However, due to Denmark's reservations to parts of the EU co-operation, Rome II does not apply in Denmark. Instead, Denmark's national choice of law rules apply to tort matters. No statutory rules exist and choice of law within tort matters is therefore determined in accordance with Danish case law.

The Dispute Resolution Directive (2013/11/EU) (ADR Directive) was implemented through the Act on Consumer Complaints. The ODR Regulation ((EU) 524/2013) came into force on 9 January 2016. Accordingly, a business must inform a consumer about alternative dispute resolution options, including the name and website of the particular organisation.

Complaints over online purchases within the EU can be filed with the Centre for Complaint Resolution (Center for Klageløsning) under the Danish Competition and Consumer Authority. The business, however, is under no obligation to participate in such proceedings.

If a complaint has been brought before Centre for Complaint Resolution by a consumer and the matter has not been settled by the parties, the consumer can bring the matter to the Consumer Complaints Board (Forbrugerklagenævnet), provided the goods and/or services cost more than DKK1,100 but less than DKK100,000 (or, in the case of complaints over shoes and clothes, more than DKK720). The lower limits are subject to indexation every three years and the current numbers are applicable from 1 January 2022.

The Consumer Complaints Board is an independent complaints board handling consumer complaints related to goods and services purchased from businesses. The decisions from the Consumer Complaints Board can be contested by the business within 30 days from the date of the decision. If not contested within this time frame, the decision can be enforced at the bailiff's court. In addition to the Centre for Complaint Resolution and the Consumer Complaints Board, a number of other complaints boards exist, that is, complaints boards handling consumer matters in areas such as hotels or tourism, cars, real estate and financial matters.

In respect of disputes regarding domain names (including disputes between two businesses), a compliant can be submitted to the Complaints Board for Domain Names (Klagenævnet for Domænenavne), which is an independent Complaints Board that decides on disputes between registrants and third parties concerning registration and use of domain names under the Danish ".dk" domain.

The decisions from the Complaints Board for Domain Names are binding.

However, a decision can be brought before the Danish courts.

The business is not legally bound by the Consumer Complaints Board's decisions. The business has 30 days to comply with the Board's decision if the consumer's complaint is upheld. Otherwise, the consumer can recover the claim through the bailiff's court.

The Consumer Complaints Board maintains a list on their website of businesses that do not comply with their decisions.

The Marketing Practices Act is the most important piece of legislation to be observed by businesses when planning the content of their marketing activities. The Act applies in the case of advertising online or through social media, as well as offline. As a supplement to this Act, the Nordic Consumer Ombudsmen have published joint guidelines on:

Businesses must exercise good marketing practice ("good marketing practice" standard) toward consumers, other businesses and public interests (section 3, Marketing Practices Act). Accordingly, an action that is not necessarily contrary to any of the more specific provisions of the Act (for example, provisions on misleading and improper marketing, comparative advertising and marketing directed at children and young people), may be contrary to the provisions of good marketing practice.

In the case of doubt regarding marketing activities, it is possible to direct a request to the Danish Consumer Ombudsman regarding the compliance of a specific marketing activity and to obtain approval in advance.

Businesses operating on social media, blogs, chat rooms and similar should be particularly aware that all marketing must be clearly identified as being commercial messages.

The Danish Consumer Ombudsman published a guide on "hidden advertising on social media for influencers" in 2019. The Consumer Ombudsman has already in many instances filed police reports against businesses and influencers for not complying with the rules on hidden advertising.

See Question 18 on the topic of cookies and mandatory information to be included in cookie consent banners.

Specifically regulated services and products include tobacco, prescription medication and financial services. However, these special regulations apply to both online and offline advertisement.

Online gambling supplied in Denmark requires a permit from the gambling authority. Any advertising of gambling services requires a valid permit. A game offered on the internet is regarded as supplied in Denmark if at least one of the following apply:

All websites in Denmark and in other EU/EEA countries legally selling medication to the public on the internet (that is, pharmacies and authorised retailers) must display a green logo containing certain wording with a link to a verification page. ""The logo indicates that the website is legally selling medication. Under the rules on online sales of medication, medication can only be sold and dispensed in Denmark when a marketing authorisation has been granted.

The Marketing Practices Act contains a specific "spam ban" in section 10, which includes strict limitations. The Danish Consumer Ombudsman published a guide on the spam ban in 2018.The ban states that businesses are not allowed to send electronic messages to their business or consumer customers, unless:

Businesses are fined a minimum of DKK10,000 in the case of a violation of the spam prohibition (up to a 100 spam e-mails). If the number of spam e-mails exceeds 100, the businesses are fined DKK100 per e-mail in addition to the minimum fine. In the case of very large numbers of e-mails or text messages, a certain reduction can be expected. Fines of up to DKK800,000 have been issued. The violations can be reported through the Danish Consumer Ombudsman's website and the Consumer Ombudsman pursues violations robustly.

There are no language requirements for websites in Denmark. However, if the goods and/or services have been marketed in Danish, the information provided to the consumer under the Danish Consumer Contacts Act must be in Danish, unless the consumer has explicitly agreed to receive the information in another language.

Further, in respect of consumers, information of importance (including warranties and user manuals in the case of technically advanced products) must be easily accessible and provided in a language which the consumer understands. Non-compliance with this rule may lead to the goods or services being considered defective under the Consumer Contracts Act section 14(1), No. 14 cf. section 8, subsection 1, No. 16.

Sales concluded online are generally subject to value added tax (VAT) in Denmark. The Act on VAT applies to all kinds of commercial supply of goods and services and makes no exception with regard to online sales.

In addition to VAT, seller's profits of sales concluded online are subject to ordinary income tax.

Danish companies selling products or services are generally required to register for VAT in Denmark if their annual turnover exceeds DKK50,000.

From 1 July 2021, a new common EU limit of EUR10,000 (equivalent to about DKK74,415) applies in all EU member states for distance selling of both goods and certain services (that is, electronic services, telecommunication services and radio and television broadcasting services). In respect of the Danish market, this means that companies established in other EU member states selling goods and services to consumers in Denmark by means of distance selling must register for VAT in Denmark for all goods delivered and/or consumed services in Denmark, if the annual revenue, in respect to the company's total distance selling revenue to all other EU member states than the country of establishment, exceeds EUR10,000.

If a company's annual distance selling revenue for all other EU member states than the country of establishment is below EUR10,000 in total, the company is only obliged to register and pay VAT in the country of establishment, according to national rules.

Within the EU, the place of delivery of goods or the place of consumption of services determines the VAT taxation country. The Danish tax area covers the Danish land areas and territorial waters and the airspace above.

The prices listed in an online shop directed at Danish consumers must include VAT.

EU companies. From 1 July 2021, a company established within the EU that meets the EUR10,000 threshold (see above, Applicability), must pay VAT in the countries to which the company has carried out distance selling. This can either be done by registering with each of the local VAT authorities or by signing up to the VAT One-Stop Shop scheme (Union Scheme/OSS) in the country of establishment. The OSS is an initiative to make it easier for companies to comply with member state VAT regulations. It has been updated to accommodate for the new common EU limit of EUR10,000 and covers distance selling of goods and certain services, where both:

For a list of goods and services included in the OSS, see Danish Customs and Tax Administration: About the EU scheme. If a company registers for the OSS, it only needs to register for VAT in one EU member state and declare and pay VAT for all sales to that EU member state.

Registrations with the Danish VAT authorities must be filed on www.virk.dk. For this purpose, the companies will receive a CVR/SE number and a certificate of registration. In the case of online filing, a MitID signature is needed, which can be requested by contacting Nets Denmark A/S or via www.nets.dk.

A Danish company receives a CVR number on formation. The company can choose to run different businesses under the same CVR number with separate VAT accounts. In this case, administrative units are created and each of them will receive an SE number. Companies in other EU member states do not have a CVR number, but they will receive an SE number on VAT registration. Application for registration must be made no later than eight days before the commencement of the activities subject to VAT in Denmark.

Non-EU companies. For companies established outside of the EU that have no fixed place of business in the EU, VAT must be reported and paid to each of the local VAT authorities when selling services to consumers within the EU. There is a voluntary Non-Union Scheme/OSS, which includes services on which VAT should be paid in the country of consumption, allowing for the company to only report and pay VAT in one EU member state. A non-exhaustive list of relevant services is available at https://skat.dk/skat.aspx?oid=2302065.

Import of all goods from countries outside the EU are subject to import VAT. However, if a company outside the EU sells goods to consumers in a shipment with a real value not exceeding EUR150,00 (equivalent to about DKK1,115) a voluntary Import Scheme/IOSS is available. As a result of the new rules, certain online platforms or marketplaces (electronic interfaces) are in certain circumstances obliged to settle VAT when facilitating the sale of imported goods not exceeding EUR150,00 (they have previously been regarded as intermediaries only).

If the value exceeds EUR150,00, the consumer is charged with the import VAT and the company cannot register with the IOSS. For further information about the new rules, see European Commission: Explanatory Notes on VAT e-commerce rules.

Tax and VAT are complex and should be assessed on a case-by-case basis.

When publishing content on a website, it must be ascertained that the published content does not violate:

A website's operator is always liable for content uploaded by it or by people it employs. In the event of user generated material infringing copyright laws, defamation laws or other public laws regulating content, the hosting platform is to a certain extent shielded from liability under sections 1 to 16 of the E-Commerce Act, implementing Articles 12 to 14 of the E-Commerce Directive (2000/31/EC).

A complaint regarding the content of a website under the .dk domain name can be brought before the Complaints Board for Domain Names or before the ordinary courts (see Question 26.

The following information must be included on the website as a minimum:

(Section 7, E-Commerce Act (implementing Article 5 of the E-Commerce Directive).)

For certain regulated professions, further information requirements apply.

If the website is used for concluding consumer contracts, additional information requirements apply (sections 8, 12 and 14, Consumer Contracts Act). See Question 7 for the additional requirements. Certain information must be provided to the consumer in a clear and prominent manner and before the consumer places their order (section 12, Consumer Contracts Act (implementing Article 8(2) of the Consumer Rights Directive)).

In general, information that is essential for a consumer must be placed in a prominent place on a website, if it is to be considered to have been properly communicated to the consumer. One way to communicate this information is by the use of pop-up windows that must be accepted to proceed.

Finally, the Danish Credit Contracts Act contains specific information requirements in relation to credit agreements involving consumers.

In general, a person producing illegal content for a website can be held liable under Danish contract and tort law. Actions in tort are subject to the Danish culpa (negligence) standard (non-statutory). An example of this is a website's user uploading defamatory statements.

An intermediary can in some cases be held liable for content uploaded by a third party. The E-Commerce Act implemented the E-Commerce Directive's specific rules on liability for intermediaries.

As such, an internet service provider (ISP) cannot be held liable for any content shown on a website hosted by the ISP. However, the ISP may be held liable as a contributing party if the ISP is aware of the illegal content. There is no general obligation for ISPs to monitor the content of a website they host.

An ISP will not be held liable for any illegal content provided that the ISP removes the illicit information as soon as it becomes aware of it (section 16, E-Commerce Act).

Disclaimers regarding the content of a website are widely used by Danish websites. A disclaimer is to an extent normative when assessing potential liability. In consumer relations, however, disclaimers are more likely to be set aside by the judge. In other words, the website's operator risks being bound by prices reflected or warranty statements issued on its website if they offer the consumer a position better than intended.

An ISP can be held liable if it does not immediately take measures to remove illicit content it hosts, once it becomes aware of this (section 16, E-Commerce Act) (see Question 39). This leads to the interpretation that ISPs are allowed to remove or block such material. However, to avoid discussions as to the legality of this in borderline cases, ISPs should clearly include clauses in their terms of use stating this prerogative. As ISPs are under no general obligation to monitor the content of websites, it should generally not be expected that ISPs will take steps against, for example, copyright infringing material unless the illicit nature of the material is specifically brought to their attention.

Generally, the blocking of a domain name system (DNS) requires a court order in the form of an injunction. Interim measures, such as injunctions, are separated from the liability scheme contemplated in the E-Commerce Directive. ISPs are generally expected to be reluctant to remove or block material unless in very clear-cut cases of infringement, and consequently filing for interim measures may prove the most efficient way for a right holder to obtain the removal of infringing material.

Under the Product Liability Act, liability for damage caused by a defect in goods lies with the manufacturer and the intermediary who produced or supplied the defective product.

In assessing whether damage has been caused by a defective product, account is taken of all the circumstances, and in particular the:

It makes no difference whether the transaction took place physically or online, but to potentially liable, the seller must have acted in the course of business.

The Product Liability Act only applies to personal injury and consumer damage. However, the case-law relating to product liability also covers damage to business property, and liability irrespective of whether the act was done in in the course of business.

When shopping online, usually the consumer is dealing with a third party ( an independent seller) and not the provider of the online platform itself. That seller cannot usually be said to be acting on behalf of the online platform.

However, this viewpoint may change if, for example, the online platform applies its name, brand or trade mark on to the product, thereby claiming to be its manufacturer. In such a case, the online platform will be considered as the manufacturer by default under the Product Liability Act, which is why the online platform will be liable for the damage to the product.

An auction site may be obliged to disclose the identity or IP address of a user through a court order.

Online platforms providing goods or services for third parties (for example, deal sites) should be cautious not to become a party to the sale they have facilitated. As a rule, the Danish Consumer Ombudsman accepts that deal sites are acting as intermediaries only when a consumer is duly and unmistakably informed all of the following:

Intermediaries can incur criminal liability as well as liability for damages in accordance with the general rules under Danish law.

Comparison websites must comply with the sui generis database rights in accordance with the Database Directive (96/9/EC), incorporated into Danish law by section 71 of the Copyright Act, meaning that they must now extract significant parts of databases that are the result of a significant investment. However, Danish courts have been reluctant to apply section 71 and favoured applying the standard of "good marketing practice" set out in section 3 of the Danish Marketing Practices Act. Based on the rulings published so far, there is a risk that comparison websites or similar sites could be held to infringe the principle of good marketing practice when including data from other platforms into their services.

There are many types of insurance, and the actual insurance need requires a specific analysis of the company and its services, including the risks connected to them. In general, an online business has the same insurance needs as other companies. However, since IT systems, websites and processing of data often are of more central importance to an online business, it is especially relevant to assess if there is a need for "cyber insurance" or similar. This type of insurance typically covers the company's various financial losses due to hacking, viruses, distributed denial-of-service (DDoS) attacks and so on, where someone externally gets access to the company's IT systems or in other ways causes damage.

Since the insurance terms vary between insurance companies, it is recommended to consult an insurance specialist before taking out insurance.

On 1 November 2022, the Digital Markets Act (DMA) entered into force (the rules will start to apply from 2 May 2023). The objective of the DMA is to:

The Act is relevant for SMEs, as it gives them a chance to participate more effectively in the data economy.

On 16 November 2022, the Digital Services Act (DSA) entered into force. The DSA aims to clarify the responsibilities and obligations of online platforms regarding content provision and moderation, as well as the offering of products for sale in online marketplaces, while retaining the key principles of the e-Commerce Directive.

The DSA is not intended to replace the e-Commerce Directive. Digital services include a wide range of online services, from simple websites to hosting services and online platforms. All online intermediaries will have to comply with wide-ranging new transparency obligations to increase accountability and oversight, for example with new flagging mechanisms for illegal content.