1. What “campaign donor data” means legally

Campaign donor data typically includes:

• Name and identity of donor
• Donation amount and frequency
• Political party or campaign supported
• Affiliation inferred from donation patterns
• Online contribution records
• Email/IP/payment metadata linked to donations

Under GDPR, this becomes sensitive because it can reveal:

• Political opinions (Art. 9 GDPR special category data)
• Behavioral profiling (political leaning inference)
• Participation in democratic processes

Even anonymous-looking donation datasets can become personal data if re-identification is possible.

2. Core legal tension in Denmark

Campaign donor data protection claims usually arise in three conflicts:

A. Transparency vs Privacy

Political systems demand transparency in funding, but GDPR demands data minimization.

B. Consent vs Democratic disclosure

Donors may consent to donate, but not necessarily to public exposure or profiling.

C. Political freedom vs data protection

Political parties argue they need data for campaigning; GDPR restricts profiling and targeting.

3. Key Danish enforcement context

The Datatilsynet treats political data very strictly:

• Political affiliation is sensitive data
• Processing requires explicit consent or strong legal basis
• Profiling voters/donors is heavily restricted
• Data minimization is strictly enforced

Denmark also follows EU case law directly, meaning CJEU decisions are effectively binding guidance.

4. Major Case Law (EU-level but directly applied in Denmark)

Below are 6+ key cases shaping donor data protection rules.

(1) Schrems II (C-311/18)

Holding:

Invalidated EU–US Privacy Shield due to surveillance risks.

Relevance to donor data:

Political donation databases transferred to US-based platforms (CRM, analytics, cloud storage) are often illegal unless strong safeguards exist.

Impact:

• Campaign donor systems hosted outside EU face strict scrutiny
• Political data transfers require enhanced protections

(2) Planet49

Holding:

Consent must be explicit, not pre-checked.

Relevance:

Political campaigns using online donation forms or tracking cookies cannot assume consent for:

• profiling donors
• storing political preferences
• marketing reuse of donor data

(3) Fashion ID

Holding:

Website operators embedding tracking tools are joint controllers.

Relevance:

Political parties using embedded donation widgets (PayPal, Stripe, Facebook tools) may be jointly liable for donor data processing.

This is critical because:

• Donor platforms ≠ liability shields
• Parties remain responsible for downstream data use

(4) Wirtschaftsakademie Schleswig-Holstein

Holding:

Page administrators are joint controllers of Facebook Insights data.

Relevance:

Political parties using social media analytics (donor engagement, fundraising ads) are responsible for:

• profiling based on engagement
• donor targeting via platform insights

(5) Meta Platforms Ireland v Bundeskartellamt

Holding:

Limits on combining personal data across services without legal basis.

Relevance:

Political campaigns often merge:

• voter databases
• donor lists
• social media engagement data

This ruling restricts such cross-dataset enrichment without explicit legal justification.

(6) Google Spain

Holding:

Individuals can request delisting of search results.

Relevance:

Donors or political contributors may request:

• removal of donation-related public references
• suppression of archived political donation disclosures online

This directly affects transparency registers and media reporting of political funding.

(7) Orange România

Holding:

Consent must be freely given and not bundled into contracts.

Relevance:

Political donation systems cannot:

• force marketing consent for donation acceptance
• bundle donor profiling consent with contributions

5. How Danish law applies these cases in practice

Under Danish enforcement practice (via Datatilsynet), campaign donor data is typically governed by:

A. High sensitivity classification

Even small datasets revealing political support are treated as special category data (Article 9 GDPR).

B. Strict purpose limitation

Donor data collected for fundraising cannot be reused for:

• voter profiling
• advertising targeting
• behavioral analytics

C. Minimal retention rules

Political parties must:

• delete donor data when no longer necessary
• avoid indefinite retention for “future campaigns”

D. Transparency obligations

Donors must be informed:

• how data is used
• whether it is shared
• whether it is publicly disclosed

6. Common legal claims in Denmark (donor-related disputes)

Campaign donor data protection claims typically involve:

1. Unauthorized profiling

Using donor history to infer political ideology for targeting.

2. Data sharing violations

Sharing donor lists with affiliates or third-party campaign consultants.

3. Lack of consent for publicity

Publishing donor identities beyond legal transparency thresholds.

4. Cross-border transfer violations

Using US-based fundraising platforms without safeguards.

5. Excessive retention

Keeping donor records beyond election cycles.

7. Key legal takeaway

In Denmark:

Campaign donor data is treated not as financial information, but as political identity data, which is among the most sensitive categories under EU law.

The combined effect of EU case law (especially Schrems II and Fashion ID) and enforcement by Datatilsynet makes donor analytics, profiling, and cross-platform fundraising systems legally high-risk unless carefully structured.