The Danish Data Protection Agency (DPA) has recommended a fine of 1.5 million Danish kroner (approx. £180,000) for a furniture company that failed to delete the data of about 385,000 customers.
The company in question, IDdesign, had been the subject of a supervisory visit by the DPA in autumn 2018. Prior to the visit, IDdesign had given an overview of its customer data management system, including applicable retention periods. It also explained that it had upgraded its system in some of its shops, but not in all. During the DPA’s visit, IDdesign revealed that the data included in the old system – comprising the names, addresses, telephone numbers, e-mail addresses and purchase history its customers – had never been deleted.
IDdesign’s primary failure was not to meet the GDPR’s requirement that personal data is kept no longer than is necessary in relation to the purposes for which it is collected or processed. IDdesign had failed to indicate “when personal data in the old system [was] no longer necessary for processing purposes, and thus did not specify the deadlines applicable to erasure of the personal data processed in the system”.
The decision underlines the need for data controllers to not only have a retention/deletion policy in the first place, but also to ensure compliance with that policy.