Fladgate
Flatgate
Flatgate
find-partner-btn-inner

Danish furniture company fined for deletion failure

The Danish Data Protection Agency (DPA) has recommended a fine of 1.5 million Danish kroner (approx. £180,000) for a furniture company that failed to delete the data of about 385,0...

share-button Share:

Date: 25/06/2019

Authors:

Eddie powell colour 2017

Eddie Powell

Partner

The Danish Data Protection Agency (DPA) has recommended a fine of 1.5 million Danish kroner (approx. £180,000) for a furniture company that failed to delete the data of about 385,000 customers.

The company in question, IDdesign, had been the subject of a supervisory visit by the DPA in autumn 2018. Prior to the visit, IDdesign had given an overview of its customer data management system, including applicable retention periods. It also explained that it had upgraded its system in some of its shops, but not in all. During the DPA’s visit, IDdesign revealed that the data included in the old system – comprising the names, addresses, telephone numbers, e-mail addresses and purchase history its customers – had never been deleted.

IDdesign’s primary failure was not to meet the GDPR’s requirement that personal data is kept no longer than is necessary in relation to the purposes for which it is collected or processed. IDdesign had failed to indicate “when personal data in the old system [was] no longer necessary for processing purposes, and thus did not specify the deadlines applicable to erasure of the personal data processed in the system”.

The decision underlines the need for data controllers to not only have a retention/deletion policy in the first place, but also to ensure compliance with that policy.

Featured Lawyers

HOW CAN WE PARTNER WITH YOU?

Contact us