Danish DPA set to fine furniture company
The Danish Data Protection Agency has reported IDDesign A/S and proposed a fine of DKK 1,5 million for failure to delete data about 385.000 customers.
In the autumn of 2018, the Danish Data Protection Agency carried out a supervisory visit to Danish furniture company IDDesign. One of the questions the visit focused on was whether the company had set deadlines for the deletion of customers’ data and whether the deadlines were complied with.
Prior to the inspection, IDdesign had provided an overview of the systems the company uses for the processing of personal data. This overview revealed that some of the furniture stores used an older system, which had been replaced by a newer system in the other shops. In the old system information was gathered about the names, addresses, telephone numbers, e-mail addresses and purchase history of some 385.000 customers. During the inspection, IDdesign also stated that personal data in the old system had never been deleted.
The GDPR establishes that personal data must be stored in such a way that data subjects cannot be identified for longer than is necessary for the purposes for which the personal data are processed.
IDdesign did not indicate when personal data in the old system are no longer necessary for processing purposes, and thus did not specify the deadlines applicable to erasure of the personal data processed in the system.
The Data Protection Agency therefore considers that IDdesign has not complied with the data protection requirements of the data protection regulation by having processed the personal data for a longer timer than necessary.